Breach Tally: Hacking Incidents Still on the RiseLatest Analysis of Federal Breach Tally Trends
So far in 2017, hacking incidents continue to affect the largest number of individuals impacted by major health data breaches. Meanwhile, incidents involving lost or stolen unencrypted computing devices continue to decline, according to the latest snapshot of the federal breach tally.
As of March 9, 50 major breaches impacting 424,286 individuals have been added to the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of major breaches affecting 500 or more individuals.
Of those 2017 incidents, 20 are listed as unauthorized access/disclosure breaches; 14 are hacking incidents; and 14 are breaches involving loss/theft of protected health information. Of the incidents involving loss or theft, eight involved paper/film records, and six involved unencrypted desktop or laptop computers, or other portable devices.
As of March 9, more than 171.66 million individuals in total have been impacted by the 1,852 major breaches that have been reported to HHS since September 2009.
Hacker Victim Tally Rises
In total so far in 2017, 14 hacking incidents affected nearly 262,000 individuals, or about 60 percent of all individuals impacted by major HIPAA breaches.
Of all wall of shame breaches posted since 2009, 283 are listed as hacking incidents that affected nearly 129 million individuals, or about 75 percent of the total number of victims impacted. Several large cyberattacks reported in 2015 by health plans impacted more than 100 million of the total. The largest of those hacker incidents was a cyberattack impacting nearly 79 million individuals that was reported by Anthem Inc. in 2015.
However, compared with the string of cyberattacks in 2015 that affected tens of millions of individuals, the largest hacking incidents so far in 2017 have affected tens of thousands of victims.
As of March 9, a hacking incident affecting nearly 86,000 individuals reported on March 2 by VisionQuest Eyecare in Indiana is the largest breach posted so far on the wall of shame in 2017. VisionQuest declined to provide Information Security Media Group details about the incident, and as of March 9, no notification statement was posted on the company's website.
The next largest breach posted on the wall of shame so far in 2017 is also a hacking incident that affected nearly 80,000 individuals, which was reported on Feb. 21 by Atlanta-based Emory Healthcare.
The hacking breach trend impacting healthcare sector organizations isn't likely to abate anytime soon, says security expert Mac McMillan of consulting firm CynergisTek.
"This is at the beginning of the new norm for the healthcare industry, and how effective we will be at combatting these attacks will depend on how long it takes organizations to get serious about implementing the right controls and investing in the right support and technology," he says.
"Certifications, checklists and dashboards are not indicators of how secure an enterprise is - active controls, continuous monitoring, independent testing, appropriate investment and vigilant management are far better indicators of a healthy program."
Unauthorized Access and Disclosure
Meanwhile, so far in 2017, the 20 breaches listed on the wall of shame as "unauthorized access/disclosure" breaches impacted a total of nearly 138,000 individuals.
The largest of those "unauthorized access/disclosure" incidents so far impacted nearly 75,000 individuals and involved a desktop computer. That incident was reported on Jan. 23 by Stephenville Medical & Surgical Clinic, Texas, which declined to provide ISMG details, saying the incident is under review by OCR.
Unauthorized access or disclosure breaching involving insiders or even external actors can reflect any of several security weaknesses, McMillan notes.
"Many of these incidents are the result of poor access controls, poor user administration, lack of encryption, strong passwords or multifactor authentication, poor system configurations, inadequate testing and monitoring, etc. Most hacks are still taking advantage of administrative mistakes," McMillan says.
Cybercriminals - Inside and Outside
Rebecca Herold, president of SIMBUS LLC, a privacy and security cloud services firm and CEO of The Privacy Professor, a consultancy says all organizations need to stay vigilant against unauthorized access and disclosure breaches, including those involving hackers, as well as insiders.
"The value of health data is great enough that many cannot resist the temptation to steal it. And too many healthcare organization have no, or little, activity monitoring implemented, so insiders know they will likely be able to get away with the data steals without being caught."
In addition, "we are going to have both outsider hackers increasing their efforts, especially motivated now with the Wikileaks CIA data dump revealing new data exfiltration tools to them that they have not been aware of before," she predicts.
"Besides having more computing devices, digital storage, and internet of things devices that healthcare organizations are increasingly using to deliver patient care, as well as use for insurer processes, the hackers will have found new tools and ideas that they can use from the CIA data dump to use to get to that very valuable patient data," she notes.
In recent years, the number of incidents - and number of victims impacted - by breaches involving lost or stolen unencrypted computer or storage devices has also been falling.
The six breaches so far posted in 2017 involving lost or stolen unencrypted computing devices impacted a total of about 15,000 individuals.
In previous years, incidents involving loss or theft of unencrypted computing devices dominated wall of shame breaches, including victim counts.
For instance, five years ago, the wall of shame shows that nearly half of the 209 major breaches reported to HHS in 2012 involved lost or stolen unencrypted laptops, desktops or other mobile computing or storage devices.
By comparison, for the 329 breaches listed on the wall of shame in 2016, only 40, or about 12 percent, involved lost or stolen unencrypted devices, signs that covered entities and business associates have become more proactive in implementing encryption. Also, helping to put a spotlight on the importance of encryption were several HIPAA breach settlements, including a couple multi-million dollar settlements, that OCR has signed in recent years that spotlighted incident involving unencrypted devices.
To date, the largest incident involving unencrypted devices was the theft of four desktop computers stolen from Chicago-based Advocate Health Care in 2013, which impacted about 4 million individuals. That incident was also the subject of an OCR breach investigation that resulted in a record $5.55 million HIPAA violation case settlement with the agency last August.
Meanwhile, over the past year, the largest breach involving unencrypted devices was the theft of a laptop computer containing PHI for 400,000 individuals that was reported to HHS by California Correctional Health Care Services in May 2016.
Learning for Others' Mistakes
Security expert Tom Walsh, CEO of consulting firm tw-Security, says that to help prevent breaches that land covered entities and business associates on the wall of shame, it's important to learn from the mistakes of others.
Walsh says his firm regularly reviews the corrective action plans that are part of HIPAA violation and breach investigation settlements posted on the OCR's website "to look for the reasons cited by the OCR for fines."
Walsh notes that the most common reasons given by the OCR for financial settlements and fines are failure to:
- Conduct an accurate and thorough risk analysis that incorporates all information technology equipment, applications and data systems storing PHI;
- Create and maintain a risk management plan;
- Implement policies and procedures and retain for six years;
- Reasonably safeguard the electronic PHI using prevailing practices;
- Encrypt computing devices and storage media;
- Obtain satisfactory assurances in the form of a written business associate agreement;
- Monitor and maintain user provisioning, such as not removing user access in a timely manner.