According to Jim Trainor, deputy assistant director of the FBI Cyber Division, "Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day."1
The largest healthcare data breach to date involved the insurance giant Anthem, in which about 80 million patient records were compromised. The cost of cleaning up the Anthem data breach is likely to exceed its $100 million cyber-liability insurance cap.2 Few healthcare organizations can handle a blow that devastating. Yet most healthcare C-suite leaders haven't paid close enough attention to the fast-changing environment in data security.
Here's the problem in a nutshell: many C-suites and boards lack the knowledge and experience to understand the scope and severity of the cyber-risk challenges they face, and few hospitals are exceptions. Hospital leaders place a high premium on quality of care, patient safety and financial stability – yet those priorities are all in serious jeopardy when their organizations take a fragmented approach to data security.
10 Sobering Facts About Healthcare Data Breaches
Complacency in hospital C-suites would vanish overnight if all leaders would grasp the significance of these 10 unsettling facts:
1. Criminal attacks are now the leading cause of healthcare data breaches.
In a 2015 study on the privacy and security of healthcare data (co-sponsored by IBM and the Ponemon Institute), criminal attacks accounted for 45 percent of data breaches – and it was the first year in which criminal intrusions were the #1 cause of data breaches.3
2. The number of HHS-reported breached records is growing at an astonishing rate. In 2014, the Department of Health and Human Services (HHS) reported that 12.6 million health records had been breached. But in 2015, that number had grown to more than 113.2 million records.4
3. Healthcare breaches are increasing because hackers are learning how to monetize patients' personal data on the so-called "Dark Web." "The healthcare industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized healthcare databases are more valuable," says Tom Kellerman, Chief Cybersecurity Officer at Trend Micro.5 Just this summer, a hacker dubbed "The Dark Overlord" reportedly stole nearly 10 million patient records and put them up for sale for almost $500,000 on the Dark Web.6
4. Ransomware is on the rise. Criminals are now targeting hospitals, jeopardizing the availability of health information when it is needed most. Ransomware is malicious software that encrypts a hard drive, locking down vital patient data until a ransom is paid (usually in "crypto currency"). OCR recently published guidance that reiterates the requirement to conduct a breach risk assessment and provides specific factors to be considered in ransomware cases.7 Even if sensitive data is never disclosed, the abducted information is nevertheless unavailable to clinicians – which could be life-threatening prior to a major surgery or medication change.
5. The costs associated with data breaches can be staggering – and they're rising rapidly. The IBM/Ponemon study estimates that the average cost of a health provider data breach is more than $2.1 million. Those costs include IT system remediation and patient notification – and the total can often rise higher due to lost business, class-action lawsuits, and more. One recent academic study found that the average award in data breach class-action lawsuits is $2,500 per plaintiff.8
6. Data breaches also occur inside organizations. Hackers aren't the only problem. The IBM/Ponemon study found that 12 percent of healthcare data breaches were the work of insiders: inadvertent employee errors, unauthorized snooping into medical records, etc.
7. Business associates are responsible for the majority of insider data breaches. Hospitals are now responsible for contractually ensuring that their business associates (BAs) are safeguarding data and are reporting data breaches to HHS. The IBM/Ponemon report found that BAs are responsible for nearly 60 percent of insider data breaches.
8. Medical identity theft is a growing problem – and a financial/PR nightmare for many organizations – Here are some of the shocking findings in the most recent report from the Medical Identity Theft Alliance (MIFA):
• 2.3 million Americans have been victims of medical identity theft.
• About two-thirds of these victims had to pay an average of $13,500 to resolve the matter.
• 30% of victims have no idea when they were targeted – and the typical victim is notified three months after the theft or fraud occurs.9
• Almost half of patients said they would find a different provider if they were informed that their medical records were stolen.10
9. Cybersecurity insurance is very expensive, and may only cover a portion of the total costs of a data breach. Cybersecurity insurance usually covers the cost of regulatory investigation, lawsuit defense, third-party liability and business interruption. But according to a recent Reuters report, insurers will no longer write cybersecurity policies exceeding $100 million in industries that have already been stung by large data breaches. Some healthcare organizations saw their premiums triple last year.11 That means that annual premiums can exceed $500,000, with deductibles also as high as $500,000.
10. Risk assessments and risk management are required by law. Many healthcare organizations fail to understand that periodic risk assessments and follow up risk management aren't optional; they're required by law and enforced by the OCR. Oregon Health & Science University12 and the University of Mississippi Medical Center13 recently paid OCR $2.7 million and $2.75 million respectively in penalties for (among other things) not following up on remediation plans.
Finding A Comprehensive Solution
Clearly, any cyber-risk solution that offers band-aids and token compliance checklists is doomed to failure. Here are the elements of a comprehensive program:
• Ability to identify all cyber risks across the enterprise – Large healthcare organizations like CareFirst, Premera and Anthem have experienced significant data breaches in recent years, and each had its own unique characteristics.
• Finding a cyber-risk partner who effectively augments the hospital's skill shortages, experience and resources.
• Ability to mature the program through ongoing assessment, mitigation, training, support, reporting and board-level oversight.
• Reliance on both robust software and human expertise – An effective program requires a robust SaaS platform developed and maintained by industry experts in accordance with guidelines established by the OCR.
• Ability to document results and ROI – A comprehensive cyber-risk program must be cost-effective and efficient. A well-designed program can preserve capital and avoid penalties that would otherwise cost the hospital millions of dollars.
• Endorsement by leading healthcare organizations – A cyber-risk program should have the endorsement of trusted industry groups like the American Hospital Association.
Every Hospital's #1 Obligation
The expression "First, do no harm" is not just a guiding principle for caregivers. It's the rallying cry for protecting the confidentiality, integrity and availability of sensitive patient information.
All healthcare organizations must with due diligence safeguard the information they create, receive, maintain and transmit. There is too much at stake for them to take a reactive, piecemeal approach.
Any healthcare organization that implements a comprehensive cyber-risk program can rest assured that it's gone the extra mile in protecting sensitive patient data and avoiding colossal costs. An enterprise-wide program helps them achieve their highest goals: greater patient safety, comprehensive regulatory compliance and significantly reduced exposure to cyber-risks.
Bob Chaput is CEO of Clearwater Compliance, an information risk management firm headquartered in Brentwood, Tenn.
References:
1 Tech Target website, May 20, 2015. http://searchhealthit.techtarget.com/news/4500246657/Federal-authorities-on-to-healthcare-cybercrime
2 CNET report, 2015. http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/
3 IBM/Ponemon "Cost of a Data Breach" Report, 2015. http://www-03.ibm.com/security/data-breach/
4 HHS/OCR Breach Portal. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
5 Insurance Business America, May 8, 2015. http://www.ibamag.com/news/90-of-firms-in-this-industry-were-hit-by-a-cyberattack-in-past-2-years-22382.aspx
6 Fox News report. http://www.foxnews.com/tech/2016/06/28/hacker-looks-to-sell-9-3-million-alleged-patient-healthcare-records-on-dark-web.html
7 HHS Ransomware Fact Sheet. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
8 Academic paper: Empirical Cost of Data Breach Litigation. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461
9 Medical Identity Fraud Alliance (MIFA) 5th Annual Study On Medical Identity Theft. http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/
10 MIFA study. http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf
11 Reuters, Oct. 12, 2015. http://www.reuters.com/article/us-cybersecurity-insurance-insight-idUSKCN0S609M20151012
12 HHS website. http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html#
13 HHS website. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/UMMC/
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.