Vast Majority of Recent Breach Victims Affected by a Hacker Attack
With less than two months left in the year, incidents involving hackers are dominating the federal tally of health data breaches for 2017, a trend some security experts expect to continue.
A Nov. 1 snapshot of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website of major breaches affecting 500 or more individuals – commonly called the “wall of shame” – shows 388 breaches impacting more than 4.6 million people have been added to the tally so far in 2017.
Of those, 123 breaches – or 42 percent – were reported as hacking/IT incidents, impacting a total of 3.2 million individuals, or nearly 70 percent of victims affected by health data breaches added to the tally so far this year.
Unfortunately, the surge in hacking incidents impacting healthcare sector entities isn’t likely to abate anytime soon, says Kate Borten, president of the privacy and security consulting firm The Marblehead Group.
” This trend will continue since it is profitable for the hackers and healthcare’s defenses are only improving in small increments,” she says.
Examining Breach Trends
Meanwhile, about 26 percent of breaches added to the tally this year – or 102 incidents affecting a total of nearly 447,000 individuals – are listed as “unauthorized access/disclosure” incidents. While an OCR spreadsheet downloadable from the tally indicates that some of those incidents involve insiders or accidents – such as email being sent to the wrong recipients – some others, such as phishing incidents, actually involve hackers.
Only 8 percent of total breaches added to the tally this year – 34 breaches impacting 171,610 individuals – were reported as involving lost or stolen unencrypted computing devices or portable electronic devices.
Until about 2015, the wall of shame regularly showed that the most common cause of major breaches was the loss or theft of unencrypted devices.
Commenting on the major decline in these type of breaches, Susan Lucci, chief privacy officer and senior consultant at security consulting firm Just Associates, notes: “I have seen more evidence of organizations encrypting laptops before issuing them to the workforce, and prohibiting the use of portable drives.”
Borten also says that in most cases, healthcare organizations are doing better with standardizing encryption on mobile devices issued to employees. Encryption is now “cheaper and easier to use than in the early days,” she adds.
Many user devices, however, are still not encrypted, she warns. Plus, she points out that encryption, by itself, is not a guarantee that a device is hack-proof.
For example, data may be encrypted on a hard drive, but the encryption key may be readily available. Or, a user may fail to log off and leave a device unattended, leaving sensitive information potentially accessible. “Encryption must always be treated as a part of the solution, but not the entire solution,” Borten stresses.
While nine of the 10 largest health data breaches posted to the wall of shame in 2017 so far involve hacking/IT incidents, the No. 1 breach, in terms of the total number of individuals affected, involved the theft of encrypted storage media.
That breach was an insider incident reported in March by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, “without any work-related reason to do so,” the company said in a March statement.
The largest hacking/IT incident posted so far this year on the federal tally was a ransomware attack affecting 500,000 individuals reported in June by Michigan-based Airway Oxygen, Inc., a provider of oxygen therapy and home-health equipment.
“Hacking will continue to be a mechanism into systems because of the many opportunistic methods to get to protected health information,” Lucci says. Weak password protection, and the lack of intrusion detection or prevention, are contributing to the surge in hacker attacks, she contends. “Insider errors that we refer to as the ‘inevitable click,’ are the ones where employees will think an email is authentic and click a malware-laden link,” she says. “Then given the length of time the bad guys are in your system before they are detected, PHI may have been impacted or ransomware deployed.”
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek says the continuing success of cybercriminals launching malware or ransomware attacks that exploit known vulnerabilities in widely adopted software and applications “makes it likely that we will see both increasing numbers of these attacks as well as the numbers of consumers impacted by these breaches. The risk to these cybercriminals of capture or prosecution by law enforcement is depressingly low.”
While hacking incidents prevail on the federal tally for 2017, some experts say ransomware incidents are likely still underreported, despite OCR guidance issued in 2015 advising entities that in most cases, ransomware attacks should be considered reportable breaches under HIPAA.
“Ransomware continues to affect vulnerable healthcare organizations and to baffle them when it comes to determining if there’s been a HIPAA breach,” Borten says.
Any potential under-reporting – or even over-reporting – of ransomware attacks – may be due to how well organizations are conducting risk assessments, Lucci notes. “If there is confusion or uncertainty, organizations should consider bringing in a professional experienced in this area to help them work through the steps methodically,” she says.
As of Nov. 1, a total of 2,109 health data breaches affecting more than 176.2 million individuals have been reported to OCR since regulators began keeping a tally in September 2009. Of those, 392 breaches impacting 131.8 million individuals involved hacking/IT incidents. While hacking incidents only represent about 19 percent of all major breaches reported to OCR since 2009, they account for nearly 75 percent of those individuals affected.
The largest health data breach appearing on the federal tally is the cyberattack reported in February 2015 by health plan Anthem Inc., which impacted nearly 79 million individuals.