Lessons Learned from 2015 Health Data Breaches
Nine of the top 10 incidents in 2015 on the Department of Health and Human Services’ “wall of shame” tally of major breaches involved hacker attacks, a huge shift from previous years, when hacker attacks were relatively rare.
The biggest health data breach of 2015 - the cyber attack on health insurer Anthem Inc. - affected nearly 79 million individuals, making it, by far, the biggest healthcare breach on the list since its inception in late 2009. And the top six hacker attacks affected a combined total of 90 million individuals.
While hacker attacks account for less than 11 percent of the incidents listed on the HHS tally so far, they account for 75 percent of breach victims. Some 56 hacker breaches added to the tally in 2015, affecting a total of nearly 112 million individuals.
And a Dec. 31 snapshot of the wall of shame shows 1,425 breaches impacting a total of more than 154 million individuals. That’s more than three times the number of victims affected by health data breaches as of one year ago - a result of the massive hacker attacks.
So what are the top lessons to be learned from the epidemic of mega-hacks in 2015?
“Healthcare organizations need to become more mature in their security posture and be a lot more proactive about protecting data,” says Jay Trinckes, senior practice lead for healthcare and life sciences at the consulting firm Coalfire. “We see many small organizations basically doing the bare minimum when it comes to security, such as ‘checking the box’ type activities for HIPAA compliance. But it’s interesting to note that the top breaches are happening to the large covered entities believed to have a higher security maturity level.”
The hacker attacks point to the need for continual risk analysis, says privacy attorney Kirk Nahra. “These ‘cyber’ risks really aren’t new, but the form they take keeps evolving, and other risks change as well,” he says. “Security protection - whether as a regulatory requirement or just as smart business - cannot be stagnant; it must be reviewed, assessed and improved almost constantly.”
The cyberattacks in 2015 also point to the need to conduct more rigorous and thorough penetration testing on a regular basis, Trinckes says.
Healthcare entities, as well as their business associates, also need to comply with industry standards that go far beyond the HIPAA Security Rule, he stresses. The wall of shame indicates that business associates have been involved in about 20 percent of all breaches.
“A trend we’ve noticed is that business associates are realizing the benefits of assessing risk against many compliance standards/frameworks - including HITRUST, SOC, ISO, PCI - as a competitive differentiator to increase revenue,” Trinckes says. “They’re using this level of thoroughness as a marketing tool to demonstrate their high bar of data protection and to meet customer demands. This is also particularly evident with cloud service providers that serve the healthcare industry.”
Another important step that healthcare entities and BAs can take to bolster breach prevention and detection in 2016 is to improve their communication, Nahra says.
When it comes to BA’s alerting the organizations they serve about breaches, Nahra says, “make sure that reporting channels are clear - that people know where to go as soon as possible. Also make sure that reporting suspicions [about breaches] is incredibly important. People need to know that they should report, even if it turns out to be nothing, and that they shouldn’t try to ‘figure things out’ before reporting. The faster that these problems can be stopped, the better for everyone.”
Organizations in the healthcare sector also should consider performing social engineering tests in an attempt to prevent falling victim to phishing attacks, which are frequently at the center of major hacking incidents, Trinckes says. “Results of this testing often lead to identifying the need for more effective internal training,” he says.
Healthcare organizations are also under pressure to bolster their breach detection and incident response plans, he adds. They should consider implementing sophisticated intrusion detection and prevention solutions along with log monitoring systems, he suggests. But they must ensure they have “the resources to maintain and monitor these solutions on a continuous basis.”
Looking ahead to 2016, Nahra predicts the cyberattack epidemic will endure. “These breaches will continue on a large scale, and will continue to be in the news because they have a long tail - both in cleaning up problems and in subsequent enforcement, if any, which can occur several years later,” he says.
The increased value of protected health information and personally identifiable information in the black market underground for use in such crimes as identity theft and fraud is fueling the surge in breaches, he adds.
“We will see more healthcare organizations pursuing the purchase of cyber insurance coverage, and these insurers will require these organizations to demonstrate a high level of data security practices, along with having a comprehensive, proactive information security program,” he predicts.