Given that health records have become a very valuable commodity, the industry has established issues with lax security, and the coronavirus has created a slew of new opportunities due to the rise in telemedicine, it’s not a surprise that there has been a significant increase in healthcare cyber attacks. The numbers revealed by a new Bitglass study are nevertheless eye-popping; an increase of over 55% in 2020, with an estimated impact to the protected health information (PHI) of some 26 million people in the United States.
Opportunistic hackers increasingly see medical records as flexible all-in-one identity theft packages and scam toolkits. This has turned attacks on healthcare providers into a $13.2 billion industry, with the average data breach cost per record rising to $499 last year.
Healthcare cyber attacks take center stage
The annual Bitglass “Healthcare Breach Report” analyzes data posted to the “Wall of Shame” breach reporting and public accountability website run by the U.S. Department of Health and Human Services. This data has shown a steady rise in healthcare cyber attacks in recent years, but 2020 was more severe due to a combination of pandemic conditions: organizations shifting to remote work models, increasing permissibility of “bring your own device” (BOD) policies for internal networks and the rapid onboarding of new cloud-based services.
The total count of US healthcare breaches rose from 386 in 2019 to 599 in 2020, an increase of 55.1%. The firm majority of these breaches were caused by hacking and IT incidents (67.3% in total). However, in terms of impact to patients whose records were stolen or compromised, 91.2% of breach incidents that resulted in theft of personal information were attributed to these healthcare cyber attacks. Collectively it is estimated that about 26 million patient records were exposed to unauthorized parties in the US in 2020, with about 24.1 million of those as the result of healthcare cyber attacks.
The pattern of medical record breach causes has inverted in a big way in only about half a decade. In 2014, the leading cause of record loss was physical theft or loss while hacking was a trivial concern. Healthcare cyber attacks really began to spike in 2018, and are now responsible for vastly more incidents of sensitive data loss. The study finds that the handling of cloud migration and digital transformation of records for internet-based sharing has been a central element of this change.
Certain states were hit harder than others in 2020. While this pattern generally lines up with overall state population, there were some outliers. Michigan had the largest count of individuals affected in spite of a lower-middle level population count among the states, due largely to the Trinity Health breach which lasted for about a month and impacted the Mercy Health and St. Joe’s hospitals throughout the state. Only four states did not experience a breach in 2020 (Wyoming, South Dakota, Vermont and Missouri). 37 states saw their breach numbers go up from 2019.
The cost per record and average total breach costs are also now the most expensive among all industries. The healthcare industry also now experiences the longest average breach recovery time (236 days) and takes the longest to identify breaches on average (96 days).
Why the rise in healthcare cyber attacks?
So what has brought the industry to this state and prompted the precipitous rise in healthcare cyber attacks? In addition to generally poor handling of the digitization of patient records and movement of them to cloud services, the report identifies the use of legacy tools that are simply too old to be able to keep up with modern cybersecurity needs. Radiological imaging systems using the DICOM standard are a well-documented example of this, with hackers sometimes able to waltz right into these systems without a password and immediately have the access and privileges that a physician would.
Garret F. Grajek, CEO of YouAttest, notes that the federal government has stepped up fine activity in response to these common failings: “The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that enforces federal civil rights laws has been issuing substantial fines for not adhering the practice and procedures outlined in the HIPAA regulations. These include: $2.3m fine to Community Health Systems for a 6.1m data record breach and a $6.85m fine to Premera for a 10.4m breach in records. Both were cited for failures concerning risk management and access controls.“
However, HIPAA has its limitations as a cybersecurity enforcement tool. The 25 year old law was not designed with cybersecurity in mind and has not been adapted to keep up with the conditions that lead to modern healthcare cyber attacks, such as internet-based storage of records and file transfers. One issue is that it only applies to direct patient care providers, generally those that have a brick-and-mortar facility; it does not account for things like fitness and personal health apps that sometimes collect personal data that would otherwise be subject to HIPAA rules. Another issue is vendor compromise. HIPAA does have some provisions requiring healthcare providers to enter into contracts with third party suppliers that might have access to patient information that provide for some level of data security, but it is not entirely adequate to the task. These contracts often simply assign blame to the vendor formally in the event of a breach rather than requiring things like ongoing third party audits that could root out vulnerabilities before they develop and curtail healthcare cyber attacks.