7 Facts about Security Breaches in Healthcare
Security breaches in healthcare are on the increase; and, although there has been a decline in the average number of records exposed per security breach, a cause for concern is that a growing proportion of healthcare security breaches are attributable to hacking and IT incidents.
Since the passage of the HITECH Act in 2009, health plans, health care clearinghouses, and healthcare providers – collectively known as HIPAA Covered Entities – have been required to report breaches of unsecured “Protected Health Information” (PHI) to the Department of Health and Human Services´ Office for Civil Rights.
The Office for Civil Rights maintains an online “wall of shame” that lists breaches involving more than five hundred records; and, from this database, it is possible to identify the causes of security breaches in healthcare and find trends in the data. We have used this information to create our 7 facts about security breaches in healthcare.
Fact 1. As a Proportion of Data Breaches, Hacking has Increased over Time
The HITECH Act not only made it a requirement for HIPAA Covered Entities to report healthcare security breaches, but it was also the launchpad for the Meaningful Use program that incentivized healthcare providers to adopt electronic health records (EHRs). At the time, only around 10% of healthcare providers used EHRs.
As the program was rolled out over five years, the adoption of EHRs was not instant, and the majority of healthcare security breaches between 2009 and 2015 were attributable to theft or unauthorized access. However, as EHRs became more widely used in the healthcare industry, the proportion of security breaches attributable to hacking and IT incidents increased significantly.
Fact 2. In Hacking Events, Most Breaches Happen on Network Servers
From 2015 onwards, ransomware attacks on network servers also became a factor in healthcare security breaches. Of the 425 ransomware attacks recorded in the Office for Civil Rights´ database, only one occurred prior to 2015. Due to the subsequent increase in ransomware attacks, network servers are now the most hacked devices in healthcare.
However, network server incidents are not only attributable to the actions of external actors. A significant number of security breaches in healthcare involving network servers are due to internal misconfigurations and developers´ coding errors which expose large numbers of records to the public via the Internet. These types of incidents should never happen.
Fact 3. Of the 10 Largest Security Breaches in Healthcare, 8 Were Due to Hacking
Strictly speaking, this fact is not entirely accurate because, although the breaches at Anthem and Premera were attributable to a network server being hacked, both attacks started with phishing emails – the Anthem breach made possible by hackers obtaining network log-in credentials, and the Premera breach occurring after an employee had opened a phishing email harboring malware.
Phishing has always been a factor in healthcare security breaches, but due to reporting limitations (inasmuch as the primary cause of the breach is most often reported rather than the initial cause of the breach), it is difficult to accurately ascertain the scale of phishing and how many security breaches in healthcare it is responsible for.
Fact 4: The Average Hacking Breach is 3x Larger than the Next Highest Average
Bearing in mind the caveat that reporting limitations may result in the causes of healthcare security breaches being misrepresented, breaches attributable to hacking and IT incidents account for an average of 131,100 records per breach. However, this figure relates to all reported security breaches in healthcare, and more recent figures suggest the number per breach is falling.
The Office for Civil Rights´ current “under investigation” database (October 2022) shows 692 security breaches in healthcare in the last two years attributable to hacking and IT incidents. Only eighteen have exposed more than one million records, and the average number of records per breach is now 98,762. It’s still not good, but it is a step in the right direction.
Fact 5. 79% of All Hacking Events Involved Healthcare Providers
Although only 4 of the 10 largest security breaches in healthcare involved healthcare providers, this proportion is not the norm. Nearly 8-in-10 of all hacking events involve healthcare providers – either because the healthcare provider is the victim of a hacking attack, or because a Business Associate with access to the provider´s PHI has experienced a hacking attack.
This statistic can be explained by the fact that there are many more healthcare providers in the U.S. than there are health insurance companies; and, when you consider the number of hospitals, clinics pharmacies, and private practices that could theoretically experience a hacking event of more than five hundred records, it is surprising the percentage is not higher.
Fact 6. For the Last Decade, the Number of Reported Data Breaches has been Steadily Increasing
Over the last decade, there has been an average increase of fifty data breaches year-on-year, but this statistic alone doesn´t tell the whole story. This is because larger increases would have been expected around the time the Meaningful Use program was in its infancy and as cybercriminals started deploying ransomware attacks on healthcare providers – so, around 2015.
However, in the four years between 2014 and 2018 there was a net increase of only 54 data breaches in total. So, what happened? Well, in 2017, the Office for Civil Rights issued its first civil monetary penalty for failing to comply with the Breach Notification Rule, and subsequent fines for similar violations prompted an increase in reporting from 2019 onwards.
Fact 7. Fines for Hacking Incidents are Much Higher than for Other Types of Security Breaches in Healthcare
Although the Office for Civil Rights prefers to resolve violations of HIPAA with Corrective Action Plans, the agency has to date settled or imposed a civil monetary penalty in 123 cases (as of October 2022). Oftentimes, the reason for imposing a civil monetary penalty is to “send a message” – as with the 2017 penalty for failing to comply with the Breach Notification Rule.
However, the average fine for hacking and IT incidents is consistently much higher than for other types of security breaches in healthcare. This is despite there being no apparent correlation between the number of records hacked, the speed at which the cause of the incident was corrected, or the previous compliance history of the organization. The moral of this fact is – don´t get hacked!