2015 Health Data Hacks: Stunning StatsWhat Can Be Done to End the Surge in Mega-Breaches?
The health data breach statistics for 2015 are stunning. So far this year, just the top five breaches have impacted a total of 99.3 million individuals. And all five involved hacker attacks - which were relatively rare until this year.
As of Aug. 4, the official federal tally of major health data breaches since September 2009 listed 1,282 breaches affecting a total of 143.3 million individuals. That means the five recent hacker attacks represent almost 70 percent of all victims on the six-year tally. And just one of those attacks - the hacking of health insurer Anthem that affected nearly 79 million - accounts for 55 percent of the total impacted.
Top 5 Health Data Breaches in 2015, So Far
In addition to the five biggest hacker breaches, the "wall of shame" breach tally from the Department of Health and Human Service's Office for Civil Rights, which tracks breaches affecting 500 or more individuals, lists another 33 hacking incidents this year, affecting nearly 2.4 million individuals combined. So, the grand total of victims affected by hacking breaches reported this year is 101.7 million. And it's only August.
Some security and privacy experts see no end in sight for large hacker attacks in the healthcare sector.
"The current trend of large-scale health data hacker attacks will continue unabated until there is a real mindset shift in regard to protected health information," says Dan Berger, CEO of security consulting firm RedSpin. "PHI should be considered an asset within healthcare organizations and afforded as much protection as any other asset. As this has budget and risk management implications, that shift must take place at the executive level and in the boardroom."
Healthcare entities need to learn important lessons from the recent string of hacker attacks, Berger says.
"The first and most obvious lesson should be that what healthcare organizations are currently doing isn't working," he says.
"The second lesson is that HIPAA security risk assessments are only as good as the remediation plan that is put in place after the risk assessment is conducted. Many of these attacks exploited known vulnerabilities - those that had been around for a year or more. This means that a vulnerability assessment most certainly would have identified them. But then they have to be fixed."
A third lesson, Berger says, is that many organizations don't have sufficient resources dedicated to information security and lack in-house expertise in-house.
A Lack of Focus
Indeed, a lack of focus on information security issues has been a problem for the healthcare sector, says Connie Barrera, director of information assurance and CISO at Jackson Health System in Miami.
"Cybersecurity traditionally has been underfunded in the healthcare sector," she says. "It's looked at as a large cost center." That problem is made worse by the prevalence of older IT systems with deep wells of rich patient information that is often inadequately protected with outdated technology, she contends.
"When you look at our applications throughout our organizations, many of those can be considered legacy systems ... which are tying us down to [older] operating systems, such as Windows XP," she says. "You'd think we'd be beyond that, since XP has been at end-of-life for more than year, but the reality is that many hospitals are still tied to these archaic legacy systems."
While large-scale hacker attacks have indeed spiked this year, the threat has been intensifying since last year, Barrera notes.
Large hacker breaches in 2014 included a cyberattack on Community Health Systems, which impacted 4.5 million individuals, and an attack on Montana Department of Public Health and Human Services, which affected about 1.6 million, she notes.
The healthcare sector is becoming a bigger target for hackers because its information systems are a rich source of personal and medical information, notes Ryan Kastner, a professor in the Department of Computer Science and Engineering at the University of California, San Diego.
This data is so valuable "because it can be sold in a black market and used for identity theft types of crime," he says.
Andrew Hicks, healthcare practice director of security consulting firm Coalfire, says that to counter the growing threat of cyberattacks, "organizations must be vigilant to counteract new threat actors, their vectors and the vulnerabilities being targeted."
He suggests that organizations subscribe to threat intelligence services. In addition, "having strong logging and incident response mechanisms in place is a must. We've also seen an increase in the number of organizations participating in 'war-gaming,' exercises," he notes.
With the spike in hacker attacks in the healthcare sector, St. Luke's Health System in Boise, Idaho, is collaborating with other entities, including those outside the healthcare sector, to stay abreast of emerging threats, says Reid Stephan, director of IT security. By partnering with others, "we can get access to indicators of compromise, or digital signatures they've seen in their environments, and we can replay and look for in our environment," he says.
So if St. Luke's team sees matching trends indicating a suspicious incident, the organization can assign an analyst to investigate what happened and help determine what the next steps are, he says.
Hicks warns healthcare organizations that they must go far beyond a focus on HIPAA compliance to ensure security. "All organizations are targets, and all organizations have unmitigated risk. This is the very reason why risk assessments and management programs should not be de-emphasized or overlooked."