Rising Healthcare Data Breaches and Costs Call for Organizations to Take Proactive Measures

Align Contributing Author: Seth Arbital, Chief Information Security Officer of Align. 

2017 was a lucrative year for attackers targeting healthcare organizations, and the first quarter of 2018 continued to see an increased number of attacks. According to the HIPAA Journal’s Report, Healthcare Data Breaches in Q1 2018, there have been 77 healthcare data breaches reported to the Department of Health, impacting over one million individuals, and the costs of these incidents continue to rise.
According to Ponemon, the last three years have seen higher average costs for breached individual healthcare records, despite a decrease in the global average across all records:

• 2015 - $363 per stolen healthcare record, where the global average was $217 per record
• 2016 - $355 per stolen healthcare record, where the global average was $158 per record
• 2017 - $380 per stolen healthcare record, where the global average was $141 per record

Most of the attacks are due to malicious and criminal activity, systems misconfigurations and human error. While these need to be addressed, it is also crucial to vet business associates and their access to patient and employee healthcare records.

HealthcareIT News reports some of the larger reported breaches for 2018 include record breaches numbering in the tens of thousands. From ransomware affecting 85,000 of California Orthopedic Specialists records, to database misconfiguration costing New Jersey-based Virtua Medical Group over $400,000 in fines, small errors and bad actors can lead to immense losses and huge security problems for unprepared organizations.

• California based Orthopedic Specialists, COS, reported that a ransomware attack against its vendors may have affected 85,000 of their current and former patients.
• New York-based organization, Middletown Medical, reported that over 63,000 patients’ records may have been breached due to a misconfigured radiology interface.
• A Long Island provider, Cohen, Bergman, Klepper MDS reported that about 42,000 patients’ records may have been breached due to a misconfigured online database.
• NJ-based Virtua Medical Group is being fined over $400K for its misconfigured database that breached over 1600 patient records in 2016.
• Illinois-based ATI Physical Therapy was the victim of email account attacks that potentially exposed over 35,000 patient records.

The key to addressing these threats is to take proactive measures to understand and reduce risk. This requires proper people, processes and technical controls. While HIPAA regulations provide a good baseline for compliance, this does not inherently equal sound security practice. Securing sensitive information is an iterative process; threat vectors are continually changing, and attackers continually get more sophisticated. Due diligence and continued awareness are key.

• Step 1 - Understand Your Current Exposure Level: You cannot protect what you do not know. Different organizations have different areas and levels of exposure. Through tailored and appropriate risk and security assessments, you can understand your current state of security, your desired state and the roadmap to attain that state.

• Step 2 – Vulnerability Management: The most publicized attacks, including WannaCry, Petya and others over the last view years were due to known, but unpatched vulnerabilities. It is important to continuously identify and address newly identified vulnerabilities. This is a particular challenge in the healthcare sector, as many legacy systems cannot be updated or patched.

• Step 3 – User Awareness Campaigns: Insider threats are a major issue and will only continue to rise. Insider threats do not necessarily refer to malicious or disgruntled employees. Internal breaches often come from unwitting but well-meaning staff members. General practitioners, doctors, specialists, lab workers, etc. all need to share information, and very often do so without accounting for the risk of a data breach. In addition, social engineering techniques, such as phishing, remain a popular and effective way to breach an organization. In today’s sophisticated threat landscape, you need more than training–you need to create a “Culture of Security.”
  
  
• Step 4 – Business Associate Vetting: You are responsible for your patient’s information, even if it is processed by a business associate. Proper due diligence in vetting your vendors is key to reducing your organization’s threat exposure.
  
  
• Step 5 – Data Protection: The goal of all your efforts is to protect your patients’ information and your organization’s sensitive data. This requires understanding where this data is, classifying it appropriately and implementing the proper protection controls, including access controls, encryption and data loss prevention (DLP).
  
  
• Step 6 – Visibility: Threat vectors are always changing, and zero-day risks are prevalent. Ponemon research shows the average time to identify an incident is six months and then two additional months to contain. Identifying anomalous behavior is key to addressing and minimizing risk.

The most important recommendation tackling data security is not to do it alone. The best way to address and reduce your risk exposure is to develop an ecosystem of robust internal controls and knowledge while leveraging the expertise of external subject matter experts (SMEs). By working with a trusted partner with technical expertise, and bringing in an outside perspective, healthcare organizations can be empowered to vet internal processes better, identify threat vectors and structural weaknesses, implement changes to thwart external attackers and tighten up internal controls.

Cyber Lock. Image Credit: Align