Fewer people affected by breaches of health records despite record high number of reported incidents
By Adam Hamza
RICHMOND, Va -- Incidents of hacked patient information reached a 10 year high in 2019 but impacted fewer people compared to prior years.
The healthcare industry reported 551 breaches of protected health Information in 2019 which impacted around 41 million people. This is a reduction from the roughly 113 million people affected by the 270 breaches in 2015.
Health data is highly sought after because it contains troves of information that can be sold on the black market or used in identity theft. Television dramas favor the image of someone in a van bypassing security protocols, but IT professionals said errors by people are far more common.
The movie versions are rare because they are expensive and risky to execute. Daniel Aranki, a faculty member of the School of Information at the University of California Berkeley. Attackers instead rely on social engineering - tricking someone to disclose their login information by mistake.
“Attackers just tend to say, ‘well, I don't need to do that much of an effort if I can send a phishing email to 10,000 emails over maybe 100 institutions,’” Aranki said. “If I catch only 10 of them, that's great enough, right? Because I can make a lot of money. That's a much cheaper type of barrier, like the lower barrier to the attack.”
The “human factor” will always be the weak link in a security equation, said Chris Yinger, senior vice president of information technology with Physician Partners of America.
“I would think, (without reviewing evidence), that improper disclosures would make up a bulk of the incidents, however, the volume of data that is unauthorized probably comes from hacking,” Yinger said. “One hundred people could accidentally disclose one patient’s record. However, one hack could result in millions of patients’ records being breached.”
In recent years hospitals have also been increasingly targeted by ransomware. Attackers will override a hospital’s systems, usually by connecting an infected piece of hardware to the hospital's network through a USB or wifi.
Healthcare providers are locked out of the entire system until the attacker receives a ransom for the key. Aranki said hospitals are singled out since there is a low risk of being caught and high rewards because they often have no choice but to pay.“
There's a lot to be gained potentially from such an attack because the hospital wants to get over this real quick. They want to get access back to their data,” Aranki said. “They can’t afford the liability...unless you have your own backups that are protected separately from the entire system.”
As part of the Health Insurance Portability and Accountability Act (HIPAA), the Breach Notification Rule came into effect with the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This requires healthcare providers to report a breach that affected 500 people or more to the Department of Health and Human Services. Healthcare providers must also notify those affected and the media within 60 days of discovery. Breaches that affect fewer people must still be reported, however, this is on an annual basis only.
The breach report from HHS contains five major categories of breaches: hacking/IT incident, improper disposal, loss, theft, and unauthorized access/disclosure. The report indicated that hacking/IT incidents made up an overwhelming majority of unauthorized disclosures since 2015. Of the reported breaches, 57% were the result of hacking/IT incidents in 2019, compared to 44% in 2018 and 21% in 2015.
Hacking/IT incidents have also affected the most people since 2013. The number of people impacted by this type of breach jumped from almost 300,000 in 2013 to nearly 7.9 million in 2014. Theft accounted for the second most common breach but has fallen off substantially since 2015 as other methods become more frequent.
HHS defines a breach as “[generally] an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information.” The privacy rule applies standards to protect PHI held by “entities and their business associates” which include health plans, health care clearinghouses and healthcare providers that handle certain information electronically.
Yinger and Aranki agreed that the difference between how health systems handle people’s data compared to other industries lies in the well-defined rules associated with HIPAA. Because the rules for the collection and use of health information are set at a federal level, there is greater accountability and practices associated with health data compared to other industries.
“HIPAA is in a way easier to consume by healthcare providers. They know exactly what constitutes a PHI [and] what constitutes a personally identifiable information,” Aranki said. “These variables are well defined.”
“With the advent of security standards applied to healthcare, more organizations have implemented some level of security practices to protect PHI,” Yinger said. “I think an organization's compliance with HIPAA is directly related to the likelihood of a data breach.”