According to breach reports submitted to the Office for Civil Rights via its new breach reporting portal, healthcare data hacking incidents in March 2015 rose considerably month on month.
In spite of the high profile data breaches that have dominated the healthcare industry news headlines, hacking incidents in 2015 have been relatively low – or detection rates have been low in the very least.
Healthcare Data Hacking Incidents Increased Significantly in March
There was a huge spike in reported healthcare data breaches in March 2015 involving over 500 individuals. Only one was reported in February and just two in January this year.
In January, the hacking/IT incidents reported to the Office for Civil Rights were from Ronald D. Garrett-Roe, MD who submitted a breach report stating that an incident with a desktop computer potentially compromised 1,600 records and the VA Corporate Data Center Operations – at its Austin Information Technology Center – reported a hacking incident involving network server that affected 7,029 individuals. In February, the Children’s National Medical Center reported a hacking/IT incident that affected 18,000 of its patients. That attack came via email.
However, as of March 31, 2015 the Office for Civil Rights received 11 breach reports; a number of which detailed incidents that exposed healthcare records in the hundreds of thousands, and in two cases, in the tens of millions.
The March data breach report makes for depressing reading. Two hacking incidents in March 2015 really grabbed the headlines – The Anthem, Inc. data breach in which 78.8 million records were obtained by cybercriminals, and the 11-million healthcare record theft at Premera Blue Cross, reported on March 13 and March 17 respectively.
The Virginia Department of Medical Assistance Services (VA-DMAS) reported a hacking incident which exposed 697,586 records, while the Georgia Department of Community Health reported two incidents on March 2, in which 557,779 and 355,127 records were compromised. The Advantage Consolidated LLC breach reported on March 18 appears small in comparison, yet it resulted in 151,626 records being obtained by the perpetrators.
Healthcare data hacking incidents certainly appear to be on the rise and the volume of data the criminals are able to obtain is extraordinary. In light of the March data breach report figures, healthcare organizations are being advised to improve cybersecurity measures and to do it fast.
A Lack of Confidence in Healthcare Cybersecurity Measures
In a discussion with HealthITSecurity.com, Guy Delp, Lockheed Martin’s Director of Cyber and Data Analytics, said that he believed “many organizations don’t feel confident in their cybersecurity measures because they lack the proper funding and staffing to identify and manage attacks,” he went on to say that his company’s cybersecurity survey results showed that “Fifty-six percent of respondents felt that they didn’t’ have expert personnel. This tells us that organization leaders need to allocate more funding to building up their cybersecurity defense structure and also hire or train additional cyber experts to protect their networks.”
In the meantime, all staff should be trained on basic cybersecurity principles such as how to identify potential malware, and what to do when that happens. Organizations must at least make sure they are fully conversant with the Breach Notification Rule and should be aware of the procedures to follow should do if they suffer a data breach. Hopefully the number of incidents will fall in April, but if this month is anything to go by, the industry is in for a torrid 2015.