We analyzed 2,700 healthcare data breaches to answer the question:
Where should healthcare organizations focus their security efforts to prevent data breaches?
We looked at breach sizes. We looked at the cause of the breach. We even looked at who reported the breach.
We uncovered a number of interesting findings.
Here is a summary of our key findings:
- Working with Business Associates has been a pain point for healthcare organizations. Allowing them to handle your PHI is risky. Our findings supported the theory that you can’t ignore Business Associate Risks. Business Associates have been responsible for 49 million breached healthcare records over the last decade.
- Some organizations avoid using electronic medical records to avoid HIPAA compliance. This does not make them immune to data breaches. In fact, our study found that sticking with paper doesn’t make you more secure
- Covered entities and business associates can legally use email for communicating health records if safeguards are in place. Emailing medical records is still high risk
- If it can be encrypted, it probably should be: Stolen unencrypted devices are a huge cause of incidents
- As more organizations move their records to the cloud, it is imperative that basic security controls are implemented – like OS hardening and integrity checks. Hacked servers are the single biggest contributor to incidents
- Attackers are getting better at what they do; our security solutions must adapt. Breached medical records have been increasing since 2017 (We aren’t getting any better). Breaches have been on general uphill climb since 2009.
- Health care providers aren’t the worst offenders – more records are leaked by health plans than all other groups. These organizations contain massive troves of data and are prime targets.
- More attacks involve humans and phishing than any other type of attack. Phishing is a risk you can’t ignore. Training employees on the risk and implementing 2FA is imperative.
- It doesn’t matter how secure your servers and solutions are if your employees download patient data to portable media. Portable electronic media is not a secure place to store health records. It has been the cause of millions of compromised health records.
Business Associates are a risk you should consider carefully
We found that covered entities cannot ignore the risk that Business Associates pose.
Since the HIPAA regulations were updated a decade ago, Business Associates have been required to be compliant with HIPAA just like covered entities.
This means that if your organization is a covered entity under HIPAA, any organization that creates, receives, maintains, or transmits PHI on your behalf must comply as well.
And you have to have a Business Associate Agreement in place with them.
Business associates were responsible for leaking 49 million patient’s records in data breaches.
Key Takeaway: Business associate agreements aren’t enough to ensure your business associates are complying with HIPAA. You must vet their security practices before sharing PHI with them.
Sticking with paper doesn’t make you less vulnerable
One very interesting finding from this analysis was that using paper records can lead to data breaches of medical information just as large as digital ones.
In fact, we found that since 2009, 4.9 million patients’ health information have been leaked via paper records.
This finding is in line with Christopher Burgess’ 2018 analysis that paper records are too often overlooked.
He correctly pointed out that many organizations focus on the technical aspects of information security and completely forget paper.
This has led to some pretty large breaches involving paper records.
Key Takeaway: even if you opt out of using electronic medical records, there are still serious risks you must mitigate.
Emailing medical records is a high risk
We found that 17% of medical information breaches involved email in some way.
That’s a total of 7.6 million records!
Unfortunately, the healthcare industry hasn’t kept pace with security technology in many aspects.
Email is one of these.
In fact, Mimecast recently found that overall their email defenses missed 16% of spam or malicious emails.
Most other sectors missed about 12%.
Because of this, attackers have been increasing their focus on the healthcare industry.
Incidents like the breach at Gulfport Memorial Hospital show this.
A phishing email led to the compromise of 30,000 patient records.
Key takeaway: Email is inherently an insecure communication protocol. You should avoid sending sensitive patient information via email.
Stolen unencrypted devices are a huge cause of data breach incidents
Overall, there is not a widespread adoption of device encryption.
Most organizations that we audit don’t have encryption enabled on devices.
We found that 23 million health records have been leaked due to the theft of devices.
It could happen to anyone – you forget a laptop or phone somewhere and by the time you remember and return to retrieve it, the device is gone.
However, for healthcare professionals, this is even more serious.
Many times, these devices have private health data on them.
Take for example, the theft of four computers from Advocate Health Group in Illinois in 2013.
The devices potentially exposed the health records of 4 million individuals.
Key takeaway: If the device can be physically moved, it should probably be encrypted. Even if your company has a policy prohibiting copying patient data to devices, you can’t really be sure your employees aren’t still doing so.
Hacked servers are the single largest source of breaches of medical information
The data shows that compromised network servers are responsible for the most compromised medical records.
In fact, 79% of private health information (164 million) leaked since 2009 involved a network server in some way.
While looking through individual cases, we discovered interesting patterns.
Take this organization, for example. SW Seattle Orthopedic and Sports Medicine
A compromised web server was the gateway to 9000 medical records.
When we looked a little further, we found that existing vulnerabilities were mentioned in the incidents surrounding 9.9 million records.
That means that patching could have potentially prevented the disclosure of the private information.
Key takeaway: network servers are a target for hackers, especially if they are connected to the internet. Organizations should implement micro segmentation principles and robust security controls on any servers storing PHI.
Healthcare data breaches have been increasing since 2017
We wanted to know whether the healthcare industry was getting any better at securing their data.
It’s been over a decade since HITECH went into effect and organizations have had time to learn, right?
Our findings didn’t quite support that.
The number of breached records have been increasing since 2017.
Prior to that, there was only a two-year period that a decrease was observed.
If you look at reported incidents though, there is a little more room for optimism.
The number of reported incidents has been decreasing since 2017.
Hopefully, this is because fewer incidents are actually occurring.
But it also means that the breaches are getting larger.
Key takeaway: The status quo in healthcare cybersecurity is not working. Organizations need to make meaningful changes to their cybersecurity programs.
Health care providers aren’t the worst offenders
We were interested to know which of the three types of organizations reporting to OCR – Health Plans, Healthcare providers, and Business Associates – which was responsible for more breaches.
Somewhat surprisingly, we found that health plans were clearly the most responsible.
In fact, health plans leaked 112 million records – more than health care providers and business associates combined.
This could be due to the fact that health plans usually have more patient data than a provider.
The Anthem healthcare data breach is an example of this.
Over 78 million health records were compromised in a single attack – one of the largest breaches in history.
Key takeaway: If you are a health plan organization, you should implement more robust security controls as you have the data of many more individuals than other types of organizations.
Phishing is one of the largest attack vectors
We knew that phishing continues to be one of the most successful attack types on most organizations.
In fact, we typically have around a 50% success rate on social engineering engagements.
So, to see how this has affected healthcare data breaches, we identified all of the breaches that were a result of phishing attacks.
Over 81 million records!
That’s 39% of all leaked medical records since 2009.
A couple of points can be inferred from this statistic:
First, the healthcare industry needs to train their employees on the risks of phishing – and not with the annual training like many organizations do it.
Security awareness training must be regular for it to be on your employees mind.
The second point is that multi-factor authentication needs to be adopted more widely.
Key takeaway: More must be done to mitigate the risk of phishing attacks. Security awareness training and multi-factor authentication are two “stepping stones” but the status quo is obviously not working.
Health records shouldn’t be stored on portable electronic media
As we analyzed the healthcare data breaches, we kept noticing references to portable electronic storage media.
So, we decided to dig further.
We added up the incidents that involved portable media.
The result was shocking:
In total, 5.6 million individuals have had their medical records leaked because of portable media devices.
This statistic exemplifies a bigger problem:
Why is so much patient information stored on portable media devices?
OCR recommended that organizations address these issues when developing policies around the use of electronic media and mobile devices:
- Are the devices tracked – location, movements, modifications and repairs, and the disposition of the devices
- Does the record of the device activity include the individual responsible for the device at all times
- Are workforce members trained on the proper use of devices and media
- Are appropriate technical controls in place to prevent the compromise of medical records
Key takeaway: If an organization must use portable electronic media to store patient health information, they must implement robust asset management and security controls. Otherwise, they are increasing the risk of compromise.
If you would like access to the raw data and analysis that we performed during our healthcare data breaches study, here is a link to our study methods.
Now I’d like to hear your thoughts:
What’s your #1 takeaway form this analysis?
Or maybe you have a question about the findings.
Either way, leave a comment below right now.