Although 2017 saw fewer massive health data breaches when compared to 2016, there was still an average of at least one health data breach per day throughout the entire year, according to a year in review report from cybersecurity software company Protenus.
Progress is being made, but there is still much that healthcare organizations must do in order to ensure that the patient data entrusted to them is properly secured, Protenus' Breach Barometer 2017 year-in-review report states.
In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media, and information available for 407 of those incidents, which affected a total of 5.579 million patient records, according to Protenus, which tracks disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Comparing these numbers with those of last year and Protenus reports that there was a slight increase in the number of breaches (450 in 2016 compare to 477 last year), but there was also a drastic decrease in the number of affected patient records—27.3 million records breached in 2016, over five times greater than the number of records affected in 2017.
The single largest breach reported in 2017 (figure 3) was the result of insider-wrongdoing. It involved two separate occasions in which a hospital employee inappropriately accessed the billing information of 697,800 patients on an encrypted USB and CD, according to the report.
In 2017, insider incidents (insider-error or insider-wrongdoing) continued to be a significant challenge for healthcare organizations, as insiders were responsible for 176 incidents last year. The report notes that one incident remaining undiscovered for 14 years. Insiders were responsible for 37 percent of the total number of breaches this year, which is similar to 2016 findings.
Protenus had information for 143 of those incidents, which affected 1.6 million patient records (30 percent of total affected patient records). This year’s insider-related incidents and patient records were lower than those in 2016, where 192 incidents were disclosed and 2 million patient records were affected.
Insider-error affected 785,281 patient records and insider-wrongdoing affected 893,978 records, which shows that more patient records were breached by insiders with malicious intent than by insider-error even though there were fewer insider-wrongdoing incidents.
Another key finding from the report is that hacking incidents that include ransomware/malware seemingly doubled from 2016 to 2017. Protenus found that hacking incidents were constant throughout the year with a total of 178 incidents in 2017 (37 percent of all 2017 breaches), with information available on 144 of those incidents, which affected 3.4 million patient records
In 2016, there were 120 hacking incidents—those incidents accounted for 87 percent of all affected records (23.7 million patient records). As a result, although there were 58 more hacking incidents in 2017, there was a significant decrease in the number of records that those incidents affected. This can be attributed to the lack of the massive hacking incidents like those seen in 2016.
Also noteworthy, healthcare organizations in 2017 reported many more incidents of ransomware and malware. There were only 30 incidents reported in 2016, whereas in 2017, 64 incidents were reported that specifically mentioned ransomware or malware. “It is entirely possible, however, that this increase in ransomware attacks is simply due to the fact that more organizations are better about reporting ransomware and have taken OCR’s guidance on what to do when an organization has experienced a ransomware attack,” the report states.
Eighteen of the 178 hacking incidents mentioned the use of other types of ransomware or extortion methods, and 31 incidents involved phishing attacks.
Last year, Protenus predicted that 2017 would be the “year of insider breach awareness.” And, Protenus notes that although there was not a substantial shift in insider-related breaches, overall awareness has increased with better reporting and guidance from HHS and OCR on what to do in the aftermath of a breach. “To see continued improvement in detection and reporting in 2018, healthcare leaders will need to build upon the progress made this past year by comprehensively auditing every access to the EHR to ensure threats to patient privacy are proactively detected and mitigated,” the report states.
What’s more, in 2017, there was a significant decrease in the total number of records breached but Protenus notes that experts are unsure if this is an indicator of breach prevention or if malicious actors are taking a breath before a resurgence of attacks in 2018.
The cybersecurity software firm also expects the trend of at least one breach per day that began in 2016 to continue into 2018. In fact, Protenus predicts that there could be an increase in the number of incidents reported to HHS next year, but this would most likely be the result of the industry getting better at breach detection, rather than there actually being more incidents. And, as healthcare organizations gain the ability to monitor every access to the EHR and detect suspicious behavior as soon as it occurs, this will hopefully mean that the industry will continue to see a decrease in the number of records affected by health data breaches in 2018.
The report also found that, in 2017, healthcare entities suffered a setback in the average time taken for breach detection. According to the report, of the 144 health data breaches for which information was available, it took an average of 308 days for an organization to discover that it had suffered a breach, significantly longer than the average of 233 days for breach detection in 2016.
“This setback is partially due to the number of breaches reported in 2017 that had occurred for several years, some over a decade, before they were discovered,” Protenus states.
What’s more, it took an average of 73 days for organizations to report a breach to HHS after it was discovered, which represents an improvement from 2016, when it took an average of 344 days to report to HHS.
However, health data breaches need to be reported to HHS within their required 60-day window, or civil monetary penalties could be levied. “While this improvement is a great sign, we hope to report in 2018 that the yearly average fell within that 60-day window,” Protenus states in the report.
The trends seen in 2017 underscore the need for healthcare organizations to make data security a top priority and need to use the latest advances in technology to protect patient data.
