2017 Health Data Breach Tally: An AnalysisExperts Analyze Whether the Stats Signify Real Progress
Compared to the mega-breaches that hit the healthcare sector in 2015 and 2016, the top 10 breaches reported for 2017 were far smaller.
The 10 largest incidents of 2017 reported so far affected a combined total of just 2.6 million individuals. And as of Dec. 21, a total of 335 health data breaches impacting more than 4.9 million individuals had been added to the federal breach tally in 2017.
For 2016, by comparison, the HIPAA Breach Reporting Tool, commonly called the "wall of shame" lists 327 breaches affecting 16.6 million individuals, and in 2015, 269 breaches impacted nearly 113.3 million individuals. The Anthem breach alone affected nearly 79 million individuals in 2015.
As of Dec. 21, some 2,158 breaches affecting nearly 176.5 million individuals had been posted to that federal tally since it was initiated in September 2009.
So what has led to the big drop in mega-breaches in the past year?
"I have a few theories on this," says Keith Fricke, principal consultant at tw-Security. "Perhaps after the large breaches in 2015, more organizations housing large amounts of protected health information raised the bar on their security posture, thereby reducing opportunities for criminals to exploit vulnerabilities. But it is possible that some yet-to-be-discovered large breaches are out there. Some metrics show that the average time between a hacker's first unauthorized access and when they are discovered is around 200 days, which is about 6.5 months."
Kate Borten, president of security and consulting firm The Marblehead Group, says some organizations - especially insurers with large pools of data - may be putting more effort into security now with the realization that they're a big target.
"Health plans, the insurers or payers, typically are managed quite differently from provider organizations," she says. "They are likely to be more tightly controlled, making security a bit easier, and they are likely to have a larger security budget and more resources. This is reasonable since they typically have large volumes of plan member data."
Mac McMillan, CEO of security consulting firm CynergisTek, argues that several factors contributed to a decline in the size of breaches.
"First, I think everyone who aggregates large amounts of data saw those attacks as a wake-up call and got more serious about their security. Many did pre-emptive assessments to look for the vulnerabilities that had led to others misfortune. Second there has been a decline in the demand for records and the associated price they bring on the dark web, as a result of the glut in supply. So in some ways these earlier breaches may have reduced the risk going forward," he says.
"Third, there has been a perceptive shift to disruptive attacks, which are paying out. Last, being a realist about the threat, it's probably just a matter of time before we see another major breach."
But privacy attorney Kirk Nahra of the law firm Wiley Rein warns against putting too much emphasis on the size of breaches reported on the wall of shame. "I think the size of breaches is a bit of a red herring," he says.
"The sample size comparison year-to-year is too small. Companies may be doing a better job of segmenting their data so that it is harder to get at large volumes of data, but that is a guess. Volume is meaningful, but often the closest thing to real identifiable harm comes from smaller breaches."
Confusion Over Biggest Breach
The No. 1 breach added to the tally in 2017, in terms of the total number of individuals affected, involved the theft of encrypted storage media. Under the HIPAA Breach Notification Rule, the theft or loss of encrypted computing or storage devices is not considered a reportable data breach, so the incident being reported as a breach raised eyebrows.
The insider incident was reported in March by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. The breach, affecting 698,000 individuals, involved a former employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, "without any work-related reason to do so," the company said in a March statement.
Outlook for 2018
Hacking was the cause of the other nine top breaches in 2017 and about 70 percent of the total number of individuals affected by all health data breaches during the year.
The trend in hacker incidents dominating the top spots on the federal health data breach tally is likely to continue, some experts predict.
"I believe we will continue to see hackers in the form of external cyberattacks such as phishing and ransomware," Borten says.
"These attacks are increasingly sophisticated. In the early days, most attacks were almost laughable with misspellings and other obvious signs of something fishy. But now I find myself tempted to open messages or click on links because they appear to be relevant and legitimate," she notes.
"In this environment, it becomes harder to train users not to open a message or document, or to click on a link. Then when attackers find a way in to our networks, all too often they detect and exploit weaknesses."
McMillan predicts that the hacker trend will continue to evolve.
"All evidence is that hacks in healthcare are not going to slow down," he says. "Organizations are paying ransoms, and many of the attacks are indiscriminate in nature anyway - think WannaCry. Nation-states attack over the world wide web and leave secondary victims in their wake."
Attacks will focus increasingly on disruption, McMillan says, "as attackers have learned that this is effective. Ransomware will continue to be a frequent attack as long as organizations continue to pay. Hackers will further exploit the internet of things to their advantage."
Meanwhile, Nahra notes, smaller breaches not involving hackers can be just as worrisome.
"Bigger isn't always worse," he adds. "There are lot of smaller breaches that have direct personal impact for specific people and where the idea of a hacker attack may not be relevant."
Beware of Insiders
Borten warns that as covered entities and business associates increasingly attempt to fend off hacker breaches, they must not forget the threats posed by insiders.
"Insiders will always pose a bigger threat in healthcare provider organizations than in other industries due to the wide range of nonemployees who are routinely granted electronic access," she says. "These include students and other trainees, visiting staff, volunteers, and other providers such as community practices. But these individuals are harder to control than employees receiving paychecks."
Nahra offers a similar perspective. "Companies will need to continue to pay close attention to employee access and use. Control access, watch what people are doing, change access when jobs change and make sure to cut off former employees," he says. "They also should focus on what data is given to and made accessible to vendors."
To battle the insider threat, McMillan advises organizations to "monitor, analyze, monitor. Upgrade to user entity behavior analytics technology to make patient privacy monitoring more proactive, accurate and effective."
Entities need to reinforce with their workforces the critical practices to reduce the risk of unintentional insider breaches, Fricke says. "As always, recurring workforce training helps keep security and privacy top of mind, which can reduce the risk of accidental incidents," he says. "Breaches caused by insiders with intent can be reduced or avoided with improved monitoring and alerting. These days, it is more practical to outsource that monitoring to a third party with resources to watch activity around the clock."