Security Breach Report: Healthcare Edition (November 2015)

Organizations of all sizes in all industries are more aware than ever of the need to securely manage data and guard against security breaches. Though certain markets face unique cyber security challenges and regulatory pressures, there are more commonalities than differences in the battle to reduce risk. The reality is that the impact of a large data breach does not end at the edge of a vertical market plane or at the B2B/B2C divide. The ripple effects extend to other industries, organizations, customers, and consumers, and those effects can be felt for months if not years.

Nowhere is this more apparent than in the healthcare industry. Think of the ramifications of an attack on a large health insurance company. Or a lost hard drive at an urban medical center. Or the theft of billing records at a healthcare clearinghouse. The problems are not contained with the real or virtual walls of the organizations that are breached. Ultimately, we all bear the burdens of incidents like these.

Unfortunately, healthcare breaches show no signs of slowing down. According to Symantec’s 2015 Internet Security Breach Report, it was the fourth year in a row that the healthcare sector reported the largest number of data breaches; at 37%, the number was more than triple that of the retail sector (11%). And breaches are also increasing in cost, according to the 2015 Cost of a Data Breach Study, which was conducted by the Ponemon Institute and sponsored by IBM. Ponemon’s data showed that the average global per-record cost of a healthcare data breach is $363 — more than twice the $154 average per-record cost across all global industries.

The why, how, and what’s next of healthcare breaches are much discussed. As you ponder your protection plans, use the following reference points to help you get a better sense of some of the recent breaches in the industry; read recent studies and analysis of the healthcare cyber security landscape; and explore the opportunities to learn from mistakes and use security awareness training as a means to reduce risks and costs associated with data breaches.

• Another piece of Ponemon research, Fifth Annual Study on Medical Identity Theft (sponsored by the Medical Identity Fraud Alliance), focuses on the pervasiveness and ramifications of medical identity theft in the United States. The results show that incidents of the crime increased by 21.7% since the 2014 study and that 65% of victims had to pay an average of $13,500 to resolve the crime.
• The U.S. Department of Health and Human Services, Office for Civil Rights maintains a running list of all reported healthcare breaches affecting more than 500 individuals. The list notes the breached entity and its location, the type of breach, and the location of breached information. Of the 105 incidents reported between June and October of this year, the most common types were due to unauthorized access or disclosure (42 breaches) and theft (38 breaches). Hacking and IT incidents were at the root of 16 breaches; loss (8) and improper disposal (1) were the other two types reported during this time frame.
• In October, officials with the North Carolina Department of Health and Human Services disclosed that the confidential health information of more than 1,600 Medicaid patients was put at risk due to an unencrypted email sent in August.
• Healthcare IT News recently reported that Dr. Daniel Nigrin, Senior Vice President and CIO of Boston Children's Hospital, will publicly share his experiences and lessons learned from a hacktivist attack perpetrated on the hospital following a highly publicized child custody case. Dr. Nigrin previously discussed the cyber attack at the Healthcare IT News Privacy & Security Forum in March 2015, and he will continue to help other healthcare providers by hosting a complimentary webinar on November 17. You can register for the session, “Responding to a Cyber Attack: Lessons Learned by Boston Children’s Hospital” by clicking here.
• In late September, several outlets reported that 1.5 million patient records were exposed online due to an error by Systema Software, a claims processor for several U.S. insurance companies. According to an article by HIPAA Journal, a “tech enthusiast” named Chris Vickery discovered that the data — including Social Security numbers, drug test results, police reports, and medical service records — had been erroneously posted on Amazon Web Services. The article stated that the breach was not the result of hackers but due to human error.
• A recent article by Modern Healthcare highlights the need for cyber security talent in the healthcare space. The piece quoted one source as saying there is an “infinite demand” for experienced professionals across all industries but that supply meets only about 10% of that demand.
• A Bankrate.com article from July compared the black market value of stolen data, including personal health information. According to the chart, health insurance credentials ($20) cost more than Visa® or MasterCard® credentials with magnetic strip or chip data.
• An NPR story from early 2015 also explored the healthcare data on the black market. The reporter wrote of a dark web dealer who was selling a “value pack” of ten Medicare numbers for 22 bitcoin — about $4,700 based on the exchange rate at the time the piece was published.

The Wombat approach to security awareness and training can help healthcare organizations change behaviors and reduce risks. Learn more by reviewing our Proof of Concept series, which highlights results experienced by multiple healthcare entities.