February saw a major increase in insider healthcare data breaches, according to the latest healthcare data breach report from Protenus.
The February Breach Barometer report indicates there were 31 reported healthcare data breaches in February. While the figure is on a par with January, which also saw 31 healthcare data breaches reported, there was a significant rise in insider healthcare data breaches last month.
Insider incidents accounted for 58% of the total number of reported breaches, twice that of the previous month. Those incidents were fairly evenly split between malicious acts and errors. Eight incidents were the result of insider wrong doing while nine incidents were logged as errors made by healthcare employees.
The rise in insider healthcare data breaches is a concern. Healthcare organizations have been increasing investment in perimeter defenses to prevent ePHI access by hackers, yet defenses against insider breaches are often found to be lacking. It is also taking an alarming amount of time for those incidents to be detected.
HIPAA Rules require covered entities to maintain ePHI access logs and regularly audit those logs to identify improper access by healthcare employees. All too often, those ePHI access logs are not checked frequently enough. Consequently, rogue employees are able to access the PHI of patients for long periods before their actions are detected.
In many cases, employees access ePHI out of curiosity. However, health information and Social Security numbers are extremely valuable to identity thieves and other fraudsters. Information stolen from healthcare organizations is often used for a variety of nefarious purposes. Fast detection of improper access can limit the harm caused by healthcare insider data breaches. Fewer patients are then impacted, thieves have a shorter time to use the data before protections are put in place and healthcare organizations will have lower breach resolution costs.
However, this month’s figures indicate healthcare providers are taking far longer to detect data breaches. Last month, the average time between the data breach occurring and the incident being reported to the Department of Health and Human Services’ Office for Civil Rights was 174 days. In February, the average time taken was 478 days.
There were two incidents reported in February that took over five years to discover, including one case of improper access by a healthcare employee that took 2,103 days to discover and report. The other incident involved a software glitch that took 1,952 days to discover and report.
The insider breach should have been uncovered during a periodic review of PHI access logs, while the software glitch should have been identified during a risk assessment. While healthcare organizations cannot always be expected to prevent data breaches, policies and procedures should be developed to ensure that incidents such as these are detected promptly.
In February, 19% of breaches involved lost or stolen devices. The use of encryption technologies could have prevented those breaches. Hacking, which has plagued the healthcare industry in recent months, was down. Just 12% of the breaches reported in February were attributed to hacking.
Healthcare providers registered the most breaches last month, accounting for 77% of all breaches. 13% of breaches were reported by health plans. Business associate breaches made up 3% of the total.
While the number of healthcare data breaches in February was the same as January, there was a major reduction in the number of exposed or stolen records. In January, 388,207 records were breached. Last month the figure was 206,151.