There is no single industry with greater sensitivity to data breaches than healthcare. But unfortunately, breaches across healthcare companies, including providers, vendors and business partners, are on the rise. Our friends at Protenus do a great job of tracking and analyzing the universe of data breaches reported to the Department of Health and Human Services (HHS), and their reports provide lots of insightful data. We invite you to access the full 2019 Breach Barometer report on Protenus.com. But in the meantime, we’re giving you a rundown of what we found most interesting in the data.
Background
The Protenus 2019 Breach Barometer analyzed 417 of the 503 known health data breaches reported to HHS in 2018. Compromised info typically includes patient date of birth, social security numbers, insurance info, dates and records of service, home addresses, and more. This includes both internal and external breaches of varying sizes, across 48 states plus Puerto Rico. Here’s what we think you need to know.
More breaches, bigger breaches...
503 reported breaches equates to nearly 2 breaches per day, every single day. This is a modest increase of 6% over 2017, but the breaches themselves are getting bigger. In terms of the number of affected patients, there were nearly 3 times as many patient records exposed as compared to a year earlier. And the trend is not looking good; as the year went on, the number of records exposed grew steadily across all four quarters.
Just because you haven’t found a breach doesn’t mean you don’t have one.
On average it takes 8.5 months for a healthcare organization to detect a breach. The oldest breach reported in 2018 happened 15 years prior! So executive teams should know that it’s altogether possible that they have been a victim of a breach, but haven’t discovered it yet - and might not for some time.
External breaches are higher-profile, but insider breaches cause more harm.
Nearly a third (28%) of reported breaches were insider breaches (vs 72% external). Internal breaches sound more benign, but in reality, they are more damaging. This is for two reasons: They take longer to uncover (external breaches are easier to detect); and the users can do more harm with the data because they understand it better.
Beware the bad actors inside your walls.
According to Protenus, for every 1,000 healthcare employees, 3.86 of them will breach patient privacy. Insiders are also more likely to be repeat offenders -- 51% of privacy violations uncovered were repeat offenders. So more reason to make sure you have your controls locked down.
For risk management from external threats, don’t overlook the basics.
Hackers continue to use basic everyday tactics, including phishing, which was prevalent in healthcare breaches throughout 2018. This underscores the need for continued high-quality training on how to avoid them and how and when to report.
Bottom Line…
Don’t ignore the basics: Training, employee oversight, documentation of access rights, and other security basics are more important than ever. But it all needs to be managed centrally in a way that can be indexed, documented and updated over time. You can’t rely on point-in-time audits alone. Audits can help you document your readiness, but without technology to continuously manage your security program, you are always in the dark.
How Can We Help?
Just getting started with risk management for healthcare? Ostendio’s comprehensive FAQ will help you understand the complexities of healthcare regulation and compliance including HIPAA and HITECH.
Ready to Get Serious? Schedule a Demo with one of our experts today who can show you how Ostendio’s MyVCM Integrated Risk Management platform can help you build a security program designed to stand up to auditors and hackers alike.
October 31, 2019
Comments