The healthcare industry may finally see light at the end of the tunnel.
The number of healthcare data breaches reported in 2017 increased slightly from the year prior – but there is good news.
The number of patient records impacted by breaches plunged 79.6% compared to 2016, according to statistics from the Breach Barometer Report 2017 by Protenus and Databreaches.net.
This continues a drop from the record-breaking HIPAA breaches reported in 2015. But has healthcare really turned a corner?
Dig into the report’s statistics below. See where more work is needed and get a few talking points to share with your healthcare clients.
The report combines data from the HIPAA Breach Portal and other sources, counting a total 477 healthcare breaches reported in 2017.
That’s an average of slightly more than one breach (1.3) per calendar day.
Considering only business days, the average bumps to 1.8 – or about five breaches every three days.
Tell your clients: every day brings a new data breach in healthcare.
The number of healthcare records exposed in security incidents fell dramatically in 2017 – but it would be difficult to match the high-mark set in recent years.
More than 5 million patient records were affected by HIPAA breaches reported in 2017, according to the report.
That’s a significant improvement from the 27 million records affected in 2016 and the more than 100 million affected in 2015.
The scale of the largest HIPAA breaches has been falling since 2015, a year in which a single attack exposed more medical records than all of 2016 and 2017 combined.
In 2015, individual breaches exposed 78 million records (Anthem), 11 million records (Premera), and 10 million records (Excellus).
In 2016, the largest HIPAA breaches were much smaller. The three largest exposed 3.6 million records (Banner Health), 3.8 million records (Newkirk Products), and 2.2 million records (21st Century Oncology).
In 2017, the three biggest healthcare data breaches reported impacted 697,800 records (Commonwealth Health), 500,000 records (Airway Oxygen), and 300,000 (Women’s Health Care Group of PA).
The report classifies breaches slightly differently than the HIPAA Breach Portal, helping to more specifically identify a breach’s cause.
Insiders – people working within the breached organization – were responsible for slightly more than one-third (37%) of HIPAA breaches reported in 2017, according to the report.
Hacking – or cyber attacks originating from outside the organization – also caused slightly more than one-third (37%) of healthcare breaches reported last year.
Of the remaining 26%, about 16% were attributed to loss or theft (excluding theft attributed to insiders), and the remaining 10% had insufficient data and were not classified.
Ransomware Breaches Spike in HealthcareHacking-related data breaches impacted the greatest number of healthcare records in 2017 – about 3.4 million, or 62% of the total for the year.
Within this group, 2017 saw a jump in breaches associated with ransomware and malware.
While only 30 such breaches were reported in 2016, the number more than doubled to 64 reported in 2017.
Is this due to a spike in ransomware attacks? It’s possible, and it’s also possible that victims of the attacks are growing more likely to report them.
In 2016, the DHHS OCR (Department of Health and Human Services Office for Civil Rights) published a ransomware fact sheet – which clarified the instances in which a ransomware attack is considered a HIPAA breach and must be reported.
The OCR reminded covered entities about this guidance in mid-2017, during a rash of ransomware attacks on hospitals.
Given the spike in reported ransomware attacks in healthcare – perhaps covered entities are getting the message.
Insider HIPAA Breach Overlooked for 14 YearsInsiders caused 176 of HIPAA breaches reported last year, or about 37% of the total. They impacted about 1.7 million patient records, or 30% of the total for 2017.
The report splits insider breaches into two types: insider error (58%) and insider-wrongdoing (40%).
Insider wrong-doing caused fewer breaches but impacted more patient records than insider error: 893,978 vs. 785,281 respectively – a difference of 14%.
To underscore the threat of malicious insiders, the report notes the case of a hospital employee who snooped on patient records for a staggering 14 years.
The breach, which took place at Tewksbury Hospital, impacted 1,100 patient records, began during U.S. President George W. Bush’s first term in office, and was finally discovered last year.
“While hacking incidents are often quickly discovered because of the immediate disruption they have on an organization’s day-to-day operations, insider threats can remain undiscovered for long periods of time,” according to the report.
For breaches affecting more than 500 people, healthcare organizations have up to 60 days after the breach is discovered to report it to DHHS OCR.
The problem is, on average, most organizations miss the deadline. In 2017, an average of 73 days passed before a HIPAA breach was reported.
This is a big improvement from 2016, which saw an average of 344 days pass before a breach was reported.
Tell your clients: organizations who fail to report a breach by the OCR’s deadline risk being hit with a HIPAA fine.
In Jan. 2017, Presence Health was fined $475,000 for untimely reporting. The breach impacted only 836 people and went unreported for 101 days – a mere 41 days after the deadline.
Breach Barometer Report 2017 from Protenus and Databreaches.net.
Healthcare IT Security: Top Stories of 2017
Biggest Cyber Attacks 2017: How They Happened
