Safe & Sound with Marianne Kolbasuk McGee

Hackers Dominate Big 2015 Breaches

HHS 'Wall of Shame' Shows Health Insurers in Crosshairs
Hackers Dominate Big 2015 Breaches

We're midway through 2015 and we're seeing a new breach trend emerge in healthcare. Gone are the days of lost and stolen unencrypted computing devices dominating the tally of major health data breaches. Hackers have officially replaced sloppy employees and petty thieves as the biggest threats to health data privacy.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

Seven of the 10 largest health data breaches so far this year have been hacker attacks, affecting nearly 92.1 million individuals, according to a July 2 snapshot of the Department of Health and Human Services' infamous "wall of shame" website.

Of those seven biggest hacking incidents, the top five were assaults aimed at health insurers. Some privacy and security experts speculate insurers are the latest hacker targets because of the large, valuable troves of sensitive data they store, ranging from personal identifiers like names, Social Security numbers and date of birth, to details about individuals' medical conditions and treatments.

Two of those incidents reported in 2015 - by health insurers Anthem Inc. and Premera Blue Cross - are also the two largest health data breaches on record since September 2009, which was when the HIPAA breach notification rule came into effect and the feds began keeping a tally of breaches affecting 500 or more individuals.

The Anthem and Premera breaches alone affected 90 million individuals this year. That's 67 percent of the nearly 135 million individuals affected all 1,258 major breaches posted on the wall of shame since 2009.

It doesn't stop there. The third, fourth and fifth largest health data breaches this year also were hacking attacks aimed at health plans. Those included:

Patterns Emerging

That hacker attacks dominate so many of the top spots on the HHS wall of shame is a pretty new phenomenon. Until fairly recently, most of the largest breaches listed on the federal website were attributed to incidents involving stolen or lost unencrypted computing devices, like laptops.

For instance, a breach involving an unencrypted laptop stolen from the car of a Science Applications International Corporation employee doing work for the military health program TRICARE, dominated the top spot on the wall of shame for nearly four years after it was reported in November 2011.

However, the Anthem and then Premera incidents this year knocked the SAIC breach, which affected 4.9 million individuals, from both the No. 1 and No. 2 spots on the wall of shame ranking. (SAIC is the third largest HIPAA breach of all time, at least for now.)

Spotty Past

That doesn't mean hacking incidents in the healthcare sector emerged out of nowhere in 2015. There have been hacking attacks resulting in HIPAA breaches in the past. However, for the most part, these incidents didn't start showing up on the wall of shame with any regularity until the latter half of 2014.

That was when Community Health System reported last August a hacker attack that compromised protected health information of 4.5 million individuals. And two months earlier in 2014, the Montana Department of Public Health and Human Services reported a hacking incident that impacted 107,000 individuals.

Before that, though, there was only a smattering of large hacking incidents dotting the wall of shame. For instance, before the Community Health System hacking attack last August, the biggest hacking incident on the wall of shame was a breach affecting 788,000 reported in 2012 by the Utah Department of Technology Services, which is business associate of the Utah Department of Health..

Lessons Learned

The healthcare sector has plenty of company when it comes to big hacker breaches making headlines in 2015. The latest, of course being the Office of Personnel Management hacker attack, a government sector incident that some experts estimate affected as many as 18 million individuals.

So, with the healthcare sector (and others) clearly being in the bulls eye for hackers this year, what should organizations do to prevent being the next target? They could consider some measures being taken by other entities that have been ramping up their defenses in recent months.

Steph Warren, interim CIO of the Department of Veterans Affairs, says the recent OPM breach in particular serves as an opportunity to remind the VA's workforce about the importance of strong passwords, securing wireless networks, avoiding phishing scams and potentially malicious websites, as well as individuals "not oversharing" personal information on social media sites.

Heather Roszkowski, CISO of University of Vermont Medical Center, also has been ramping up user awareness at her organization in recent months to fight an uptick in phishing attempts, including those "laced with malware in an attempt to steal credentials," she says.

Shining Light on Authentication

When it comes to protecting unauthorized access to systems, the VA's Warren noted during a media briefing on July 1 that the VA is shining a particular spotlight lately on multi-factor authentication.

Stanley Lowe, VA deputy assistant secretary for information security, issued June 30 a couple of memos to remind top VA IT leaders that the use of two-factor authentication is required by the department. That means the use of personal identity verification, or PIV, cards and PINs to gain access to any VA information systems. The rules apply to VA users with "elevated privileges" such as systems administrators, as well as users who are not responsible for direct patient care.

So, if your organization also wants to avoid being listed among top wall of shame breaches in the second half of 2015, now's the time to ramp up your information security and breach prevention efforts, too.

What are you doing to defend against hackers? Share your best tips in the space below.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.