Growing Hacker Breach Tally: What's to Blame?Some Experts Say Focus on HIPAA Compliance Creates Security Gaps
Hacker attacks continue to account for the vast majority of health data breach victims this year, according to the latest federal tally.
Some security experts expect that trend will persist as long as many healthcare organizations focus narrowly on HIPAA compliance rather than larger cybersecurity issues.
"Eighty percent of the incidents resulting in loss or compromise of patient information are external attackers taking advantage of technical weakness in the enterprise, but much of healthcare is still focused on compliance and people," says Mac McMillan, CEO of the security consulting firm CynergisTek. "We need to reorient our focus on serious cybersecurity and strengthening the framework upon which we base our selection of controls. HIPAA is failing the industry as it relates to security."
Dan Berger, CEO of the security consultancy Redspin, predicts hackers will "continue to plague the healthcare industry for years to come" because protected health information is stored in so many places that it's difficult to safeguard.
"PHI finds its way onto multiple devices, is used by different applications, moves from provider to provider - and to business associates," he notes. "The surface area for potential hacker attacks continues to expand. To safeguard PHI in every instance takes a discipline that most organizations still lack."
An Oct. 7 snapshot of the Department of Health and Human Services' Office for Civil Rights "wall of shame" website listing health data breaches affecting 500 or more individuals shows a total of 227 breaches reported so far this year. Those incidents have impacted a total of more than 14 million individuals.
Although hacker attacks make up only about a third of the breaches confirmed by HHS so far this year, those incidents are responsible for about 80 percent of the individuals affected.
Hacker incidents began to surge in 2015, when more than 100 million individuals were affected. The biggest of those breaches was a cyberattack on Anthem Inc., which impacted nearly 79 million individuals.
By comparison, the largest hacker incident added to the wall of shame so far in 2016 was a cyberattack on Arizona-based Banner Health impacting 3.6 million individuals.
"The trend toward more hacker incidents is very likely to continue and to grow once attacks against internet of things [devices] are in full swing," McMillan says. "Healthcare organizations need to realize this fascination with compliance and insiders, while important, is not where their focus should be."
Because of the pervasiveness of hacking, McMillan says, "we need to strengthen the frameworks we use to build our defenses - HIPAA is not adequate - and get serious about cybersecurity."
Berger contends that a combination of issues are involved in the surge in hacker attacks. "I wish it could be narrowed down to specific practices and/or policies. But the solution remains more holistic," he says. "We still find that many HIPAA security risk assessments are not comprehensive enough and often lack the follow-through required to remediate the vulnerabilities found. Healthcare organizations of all sizes and types should take full advantage of the risk assessment process to identify, prioritize and address the issues specific to their organization that pose the greatest risk to PHI."
In a statement provided to Information Security Media Group, an HHS Office for Civil Rights spokeswoman says: "HIPAA does, indeed, require an enterprisewide risk analysis of risks and vulnerabilities to all electronic protected health information, including those from cyber threats, and entities are also then required to develop policies and adopt safeguards to address/mitigate those risks. HIPAA compliance is a holistic approach, and not a check the box exercise." As OCR's recent ransomware guidance indicates, HIPAA requires the implementation of many safeguards that protect entities from cyber threats, she adds.
Among recent hacking incidents added to the wall of shame is a breach affecting 300,000 reported to HHS on Sept. 23 by Central Ohio Urology Group. In a notification statement to patients, the clinic says: "An unauthorized individual posted files and documents to an online drive accessible on the internet that appear to have been maintained on Central Ohio Urology's internal file server. The files and documents included personal information about patients, employees and, in some cases, people that paid for medical services."
A long list of ransomware attacks have grabbed headlines this year. But many of those incidents, including an attack on Hollywood Presbyterian Medical Center, have not yet shown up on the wall of shame.
That could be due, in part, to some lingering confusion about whether ransomware attacks are considered by federal regulators to be reportable breaches under HIPAA. OCR issued guidance in July aimed to clarify that most ransomware attacks, indeed, result in a breach of PHI that should be reported.
One ransomware-related breach that's been added to the OCR tally is an incident affecting more than 15,000 individuals reported by Providence, R.I.-based University Gastroenterology on Sept. 8.
Encryption Finally Catching On?
Compared with past years, breaches involving lost or stolen unencrypted computing devices are affecting far fewer individuals so far this year.
Since Jan. 1, there have been 28 health data breaches involving lost or stolen unencrypted desktop, laptop or other mobile gear affecting a total of nearly 800,000 individuals. The largest of those, reported by California Correctional Health Care Services, impacted 400,000.
"There is no excuse for an unencrypted system that stores, processes or transmits electronic PHI," McMillan says, suggesting that breaches involving unencrypted data should always result in financial penalties from regulators.
The Grand Total
In total, some 1,686 major health data breaches affecting 168.7 million individuals have been posted on the federal tally since September 2009, when regulators began keeping track.
"There are roughly 1,600 health systems in the U.S.," McMillan says. "So [that's] basically one [major breach] for every health system we have."