New Hacks, Thefts Added to 'Wall of Shame'Persistent Problems Pop up in HIPAA Breach Tally
While 2015 is already a record year for mega breaches in the healthcare sector, recent incidents involving common, persistent problems - as well as smaller scale hacker attacks - continue to litter the federal health data breach tally.
A Nov. 6 snapshot of the Department of Health and Human Services "wall of shame" website listing major health data breaches affecting 500 or more individuals, shows a total of 1,383 breaches impacting 154 million people since federal regulators began keeping count in September 2009.
That's about 200,000 more affected individuals since Sept. 29, when a snapshot of the website showed 1,338 breaches impacting 153.8 million victims (see Breach Tally: HIPAA Omnibus Impact).
Since Sept. 29, several breaches described as hacker incidents have been added to the federal tally. The largest was at mental health services provider, Emergence Health Network, which impacted more than 11,100 individuals.
Also among several other hacker breaches recently added to the federal tally is an incident affecting 4,500 individuals reported by Indian Territory Home Health and Hospice, as well an incident reported by the North Carolina Department of Health and Human that affected 1,615 individuals.
While these recently reported incidents are not massive breaches affecting tens of millions of individuals - as the healthcare sector saw earlier this year with cyber-attacks on several health plans, including Anthem Inc., which impacted nearly 80 million individuals - a key takeaway in these smaller scale cyberattacks is that any size or type healthcare entity is at risk.
"Healthcare organizations large and small can be targets of hackers," says Dan Berger, CEO of security consulting firm Redspin. "While the mega-breaches make the headlines, it does not mean attackers strictly focus on large entities. A heist of 11,000 records at Emergence is still significant," he notes.
One lesson gleaned from the ever-growing number of healthcare breaches is that the value of personal and medical information to hackers and other cybercriminals has increased dramatically over the past few years, says Mike Weber, vice president at security consulting firm Coalfire. "It's become much easier for a hacker to monetize an identity. There are 'distribution chains' of brokers, buyers and sellers that facilitate the transactions. Identities have a much longer shelf life than credit cards, and therefore command a higher price. This increase in value makes even the smaller entities a target for attack."
To combat cyberattacks, there are important steps that healthcare entities, as well as their business associates, can take, Berger says. "We're starting to see more healthcare organizations institutionalize regular vulnerability assessments and penetration testing, even as frequently as once a quarter," he says. "Security is a continuous cycle of testing, remediation, and retesting."
Also added to the HHS wall of shame were some newly reported breaches involving recurring issues: Loss and theft of unencrypted computing devices, and unauthorized access or disclosure of protected health information.
The largest of several recent breaches involving unencrypted devices was the theft of a laptop computer from a former physician of the University of Oklahoma Department of Urology.
In a statement, the healthcare provider says the laptop stored a spreadsheet that may have contained "limited information" from pediatric urology procedures occurring between 1996 and 2009, such as patient name, diagnosis and treatment codes and dates, date of birth or age, a brief description of a urologic medical treatment or procedure, medical record number, and physician's name. No Social Security numbers, addresses or financial information were included, the university says.
The university says its urology department "is taking additional steps to help prevent similar incidents from occurring and is providing additional training to employees on the importance of securing patient information."
Despite the push by federal regulators urging the encryption of PHI at rest and in transit, the theft and loss of unencrypted computing and storage devices remain the most common culprits in HIPAA breaches listed on the wall of shame.
"I'm not surprised by the continued problem of lost or stolen devices," Berger says. "While encryption is more prevalent, obstacles such as cost, user acceptance and lack of prioritization remain."
Unauthorized Access and Disclosure
Incidents involving unauthorized access to or disclosure of patient information are also an ongoing battle for many healthcare entities that reported breaches to HHS in recent weeks.
The largest of such recent breaches was reported on Oct. 28 by Children's Medical Clinics of East Texas. The healthcare provider reported an unauthorized access/disclosure incident involving a desktop computer affected 16,000 individuals. At press time, neither Children's Medical Clinics of East Texas, nor its legal representatives, responded to Information Security Media Group's request for information concerning the incident.
Another recent large unauthorized access/disclosure incident appearing on the wall shame is a breach affecting 4,300 individuals reported on Oct. 20 by Huntington Medical Research Institute.
In a statement, the Pasadena, Calif.-based healthcare provider says it learned on Aug. 20 "that a former employee might have taken electronic patient information related to HMRI's laboratory." The organization says the former employee is believed to have taken the information around the time of the worker's departure on July 31. "HMRI continues to investigate this incident and seek return of all HMRI patient health information," which included patient names, some demographic data, including date of birth, clinical diagnosis, tissue specimen source, treatment, specific tests ordered, and some billing information." Impacted data did not include Social Security numbers, credit cards or other financial payment information.
Among actions HMRI is taking includes reinforcing training of staff who have access to patient information and "strengthening data security," the organization says in its statement.
Berger says breaches involving unauthorized access or disclosure of patient information, especially by insiders, remain a persistent challenge for many healthcare entities. "Unauthorized access and disclosure is a tough problem," he says. For instance, often, privacy monitoring solutions "require a lot of manual effort to detect such incidents," ne notes. "It is even more effort to prevent them. Lack of time and resources can remain an issue," he says. However, "I think you will see some technological innovation in this space soon," Berger predicts.
Weber suggests that healthcare entities need to up the ante in the steps they take to safeguard PHI from external and internal threats.
"It's no longer okay to merely have a vulnerability management program, a security operations crew, and technology deployed," he says. "The modern organization has to be prepared to identify and respond to these inevitable attacks. An organization should examine its security posture across all attack surfaces and question what component of their security technology or program would be able to detect attacks throughout all parts of the organization - whether it's external technology, internal monitoring processes, physical access intrusion alarms, or first-line staff defenses," he says.
"All parts of an organization play a role and only an adversarial 'red team' approach can identify where these security relationships are weakest."
In addition to the assortment of large breaches involving electronic patient information, recently added to the federal tally were also a number of incidents involving lost, stolen, or unauthorized access to paper records and X-ray films, which also remain common occurrences landing on the wall of shame.