HIPAA Healthcare Data Breaches – Looking back at 2017
With the Banner Health data breach that shook healthcare providers in 2016 recording 3.6 million individuals affected, cyber security came to the spotlight for the healthcare industry.
However, in 2017, as we analyze HIPAA breach data reported to the OCR, the severity of incidents might have decreased but not the numbers.
Here are some of the major highlights of the reported HIPAA healthcare data breaches in 2017:
- The number of breaches reported in 2017 have increased by more than 100% when compared to 2016 (as a matter of fact, OCR seems to have updated the number of HIPAA data breaches in 2016 from 223 to 104).
- While the number of incidents reported in 2017 were higher than the previous year, the number of individuals affected were at an all-time low during the previous 4-year period.
- Healthcare providers were again the worst hit (reporting 231 HIPAA data breach incidents in 2017).
- Hacking/IT incidents and unauthorized access continues to be the main culprits behind majority of the incidents.
- There were 2 data breaches that impacted 500,000 and more people as per the reported breaches.
- While there were more states in 2016 that reported no breaches, some states continued the breach-free status for the past two years [NM, SC, WY, ID].
- The largest breach was a theft reported in the Kentucky state that affected 697,800 individuals by the Commonwealth Health Corporation.
- While Texas reported maximum hacking incidents in 2017, New York consistently reported maximum unauthorized disclosures in 2016 and 2017 as well.
*This data analysis is based on the breach data reported to the OCR by 3rd Jan 2018.
Here’s what healthcare IT experts have to talk about the healthcare data security in 2018:
David S. Muntz, Principal at StartBridge Advisors says, “there are several factors raising the risk profile: an expansion of end points associated with the explosive growth of IoT and personal devices, the growing gap between demand for and supply of experienced cybersecurity professionals, and increasingly sophisticated bad actors.”
He adds, “on the positive side, users are more aware and vigilant, vendors are providing countermeasures for previously unprotected and vulnerable products/devices, architects for new and evolving products/devices are adding security countermeasures into the design and testing processes, and HIPAA will be perceived not as a deterrent, but as an enabler for data sharing.”
Tim Erlin, VP, Product Management and Strategy at Tripwire predicts, “We’ll see a significant breach in the healthcare industry in 2018. With a growing focus on the vulnerability of medical devices and electronic healthcare records, the hospitals, insurers and manufacturers will all be in the crosshairs of cybercriminals in 2018.”
Kris K. Wilson, CIO at Hilo Medical Center talks about EHRs. He says, “As EHRs mature and collect vast amounts of data, keeping this data safe as adept cybersecurity threats increase must remain at the forefront. Educating staff on the proper use of hospital systems and placing safeguards within your EHR to limit the amount of data accessible is a good start to overcoming this challenge.”
While Lee Barrett, Executive Director of the Electronic Healthcare Network Accreditation Commission suggests, “Healthcare organizations will need to embrace risk-management strategies and to carefully go over security frameworks.”
Additionally, Mark Jackson, Principal Information Assurance Architect, Cisco UK public sector says, “Organizations should also focus heavily on breach and incident readiness. This should be in the form of a set of well-developed plans, but also through the exercising of those plans.”
So, what lies ahead in healthcare data security? Will cybersecurity measures be able to tackle with the growing number of incidents? Only time will tell.