Healthcare Cybersecurity

HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) is raising awareness of the work it conducts to combat cyberthreats within the HHS and the healthcare industry as a whole and is taking steps to increase transparency of its cybersecurity activities.

One of those steps is the creation of a new web page, which explains the activities that HHS OIG is undertaking to improve cybersecurity. The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees.

On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency.

IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. Resiliency is the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack.

HHS OIG explained it has formed multidisciplinary cybersecurity team that applies those three principles to the various offices within the HHS and agencies that it oversees. The team consists of auditors, investigators, evaluators, attorneys and other industry stakeholders who are focused on fostering enhancements in IT security controls, risk management, and resiliency to cyberattacks.

Independent IT and cybersecurity audits of HHS programs, grantees, and contractors are conducted by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits identify risks and threats to data to allow action to be taken to prevent cyberattacks.

Broad evaluations of HHS cybersecurity-related programs are conducted by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is provided by the HHS OIG Office of Counsel, and criminal investigations into incidents and allegations that affect HHS programs are conducted by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.

Reports of HHS OIG activities have already been uploaded to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018: A review of Medicare contractor information security program evaluations; A review of HHS compliance with FISMA; A report on an audit of the CMS enrollment system; and a report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.

HHS OIG summarizes the actions it is taking to address cybersecurity within HHS and the healthcare industry in the video below:

The post HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page appeared first on HIPAA Journal.

HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) is raising awareness of the work it conducts to combat cyberthreats within the HHS and the healthcare industry as a whole and is taking steps to increase transparency of its cybersecurity activities.

One of those steps is the creation of a new web page, which explains the activities that HHS OIG is undertaking to improve cybersecurity. The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees.

On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency.

IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. Resiliency is the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack.

HHS OIG explained it has formed multidisciplinary cybersecurity team that applies those three principles to the various offices within the HHS and agencies that it oversees. The team consists of auditors, investigators, evaluators, attorneys and other industry stakeholders who are focused on fostering enhancements in IT security controls, risk management, and resiliency to cyberattacks.

Independent IT and cybersecurity audits of HHS programs, grantees, and contractors are conducted by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits identify risks and threats to data to allow action to be taken to prevent cyberattacks.

Broad evaluations of HHS cybersecurity-related programs are conducted by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is provided by the HHS OIG Office of Counsel, and criminal investigations into incidents and allegations that affect HHS programs are conducted by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.

Reports of HHS OIG activities have already been uploaded to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018: A review of Medicare contractor information security program evaluations; A review of HHS compliance with FISMA; A report on an audit of the CMS enrollment system; and a report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.

HHS OIG summarizes the actions it is taking to address cybersecurity within HHS and the healthcare industry in the video below:

The post HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page appeared first on HIPAA Journal.

Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products

Posted by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued five advisories in the past week about vulnerabilities discovered in equipment used by healthcare organizations in the United States.

Change Healthcare PeerVue Web Server

A vulnerability (CVE-2018-10624) has been identified in the Change Healthcare PeerVue Web Server which could allow an attacker to gain information about the web server that would enable it to be targeted in a cyberattack. The vulnerability only requires a low level of skill to exploit by an attacker on an adjacent network. The vulnerability exposes information through an error message.

The flaw was discovered by security researcher Dan Regalado of Zingbox and has been assigned a CVSS v3 base score of 4.3.

Change Healthcare took rapid action to address the vulnerability and a patch has now been issued. Users should contact Change Healthcare if they are running PeerVue Web Server 7.6.2 or earlier for information about installing the patch.

Carestream Vue RIS

A remotely exploitable vulnerability (CVE-2018-17891) has been discovered in the CareStream Vue RIS web-based radiology system which, if exploited, would allow an attacker with access to the network to passively read traffic.

Carestream has confirmed that the vulnerability affects version 11.2 of RIS Client Builds and earlier versions, which are running on Windows 8.1 machines with IIS/7.5.

The vulnerability would allow an attacker to gain access to information through an HTTP 500 error message that is triggered when contacting a Carestream server when there is no Oracle TNS listener available. The information that is exposed could be used to initiate a more elaborate attack.

The vulnerability, which was also identified by Dan Regalado of Zingbox, has been assigned a CVSS v3 base score of 3.7.

Carestream has resolved the vulnerability in the current version of its software (v11.3). Users unable to upgrade immediately should disable “Show debug messages” and enable SSL for client/server communications.

Siemens SCALANCE W1750D

Siemens has discovered a vulnerability (CVE-2018-13099) in version 8.3.0.1 and earlier versions of its SCALANCE W1750D WLAN access point which could allow an attacker to decrypt TLS traffic. UCS-CERT notes that there are already public exploits available for the vulnerability.

To exploit the vulnerability, the attacker would require network access to a vulnerable device. By observing TLS traffic between a legitimate user and a device it would be possible for the attacker to decrypt TLS traffic.

The vulnerability has been assigned a CVSS v3 base score of 5.9.

Siemens has corrected the flaw with a firmware upgrade and all users are advised to upgrade to v8.3.0.1 as soon as possible. Siemens recommends that administrators restrict access to the web interface of affected devices until the firmware upgrade is applied, and to only operate the devices in a protected IT environment.

Siemens ROX II

Siemens has discovered two improper privilege management vulnerabilities affecting all versions of its ROX II products prior to v2.12.1. The vulnerabilities can be exploited remotely and only require a low level of skill.

Siemens reports that an attacker with access to Port 22/TCP with valid low-privileged user credentials for the device could exploit a vulnerability (CVE-2018-13801) to escalate privileges and gain root access to the device. The vulnerability has been assigned a CVSS v3 base score of 8.8.

An authenticated individual with high-privileged user account access via SSH interface in on Port 22/TCP could bypass restrictions and execute arbitrary operating system commands. This vulnerability (CVE-2018-13802) has been assigned a CVSS v3 base score of 7.2.

Both vulnerabilities have been corrected in v2.12.1 of the software and users have been advised to upgrade as soon as possible. In the meantime, network access to Port 22/TCP should be restricted, if possible.

Siemens SIMATIC S7-1200 CPU Family Version

A remotely exploitable vulnerability (CVE-2018-13800) has been identified in all versions prior to 4.2.3 of SIMATIC S7-1200 CPU Family Version 4.

The cross-site request forgery vulnerability could be exploited if a legitimate user who has been authenticated to the web interface is fooled into accessing a malicious link – via email for instance. By exploiting the vulnerability, the attacker could read or modify parts of the device configuration.

The vulnerability, identified by Lisa Fournet and Marl Joos from P3 communications GmbH, has been assigned a CVSS v3 base score of 7.5.

Siemens has addressed the vulnerability with a new firmware version and has urged all users to upgrade to v4.2.3 as soon as possible. Until the firmware upgrade has been applied, Siemens recommends that users do not visit other websites while they are authenticated against the PLC.

The post Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products appeared first on HIPAA Journal.

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

Posted by HIPAA Journal

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices to help medical device manufacturers improve the security of their devices and help healthcare provider organizations improve security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way.

The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete.

HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the National Health Service in the UK was badly affected and had its systems crippled.

Later in 2017, the Healthcare Industry Cybersecurity Task Force, which was set up following the passing of the Cybersecurity Act of 2015, submitted a report to Congress that included more than 200 recommendations for improving healthcare cybersecurity and preventing cyberattacks on healthcare organizations from succeeding.

Since the report was released, scores of healthcare industry stakeholders have joined the HSCC Cybersecurity Working Groups and Task Groups and have been working toward strengthening cybersecurity in the healthcare industry and improving privacy protections for patients.

HSCC held a multi-stakeholder meeting in February 2018 to improve coordination of efforts to address cybersecurity challenges and the HHS held a meeting in June 2018 where members of the HSCC Cybersecurity Working Group provided an update on progress and received further direction on key priorities.

HSCC notes that there is considerable momentum and great strides are being taken to improve healthcare cybersecurity. As detailed in September’s National Cyber Strategy, policymakers within the Administration and Congress are addressing cybersecurity threats and state that the government will work closely with the private sector to manage risks to critical infrastructure, including healthcare.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) now contains cybersecurity provisions and requires the HHS to submit its strategy to Congress for public health preparedness and response to address cybersecurity threats. A joint table-top exercise will also be conducted with the HHS covering a simultaneous flu pandemic and cascading ransomware attack.

“We recognize that patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity,” explained HSCC. “The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic.”

The post Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC appeared first on HIPAA Journal.

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

Posted by HIPAA Journal

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

Posted by HIPAA Journal

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents.

The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks.

The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document.

The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been conducted on medical devices to cause patients harm, the number of cyberattacks on healthcare organizations has increased significantly in recent years and concerns have been raised with the FDA about the potential for cybercriminals to attack patient medical devices.

“The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents,” said MITRE. “The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.”

In addition to releasing the guidance for HDOs, the FDA has developed its own internal playbook to ensure that it can respond rapidly to any medical device cybersecurity incident. “Our internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, healthcare systems and ultimately, patients,” said Scott Gottlieb, MD, Commissioner of the FDA.

The Playbook includes several recommendations for healthcare delivery organizations, although it may not be possible for all recommendations to be executed by healthcare delivery organizations due to operational constraints. However, the document does serve as a starting point for developing a response plan for medical device security incidents and will include recommendations that could be incorporated into existing disaster recovery plans.

The FDA has also announced it has signed two memoranda of understanding which will establish information sharing analysis organizations (ISAOs) that will be tasked with gathering, analyzing, and distributing important information about new cyber threats to medical device security. Through the sharing of timely information it is hoped that device manufacturers will be able to address security issues more rapidly before they can be exploited.

The FDA is also working closely with the Department of Homeland Security and is holding joint cybersecurity exercises to simulate attacks on medical devices with a view to improving medical device security. The FDA has also made significant updates to its premarket guidance for medical device manufacturers which is expected to be released in the next few weeks.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook can be downloaded from MITRE on this link (PDF – 543.73 KB)

The post FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

Posted by HIPAA Journal

Phishing is one of the leading causes of healthcare data breaches. The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information.

In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August.

Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively.

Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing

The anti-phishing solution provider Cofense (Formerly PhishMe) recently published an Industry Brief which explored the problem of phishing in the healthcare industry.

The report, entitled ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, confirmed the extent to which the healthcare industry is targeted by cybercriminals. The healthcare industry accounts for 1/3 of all data breaches, which have resulted in the exposure or theft of more than 175 million records.

It is no surprise that the healthcare industry is targeted by hackers as healthcare organizations store vast amounts of extremely valuable data: Health information, insurance information, Social Security numbers, dates of birth, contact information, and financial data. Information that can easily be sold to identity thieves and fraudsters.

Further, the healthcare industry has historically underinvested in cybersecurity with security budgets typically much lower than in other industry sectors such as finance.

Cofense data shows that healthcare organizations fare worse than other industries in terms of susceptibility and resiliency to phishing attacks. To measure susceptibility, Cofense used data from its phishing simulation platform – Susceptibility being the percentage of healthcare employees that were fooled by a phishing simulation. Resiliency to phishing attacks is the ratio of users who reported a phishing attempt through the Cofense Reporter email add-on versus those that did not.

Across all industries, the susceptibility rate was 11.9% and the resiliency rate was 1.79. For healthcare, susceptibility was 12.4% and resiliency was 1.34. The insurance industry had a resiliency rate of 3.03 while the energy sector had a resiliency rate of 4.01.

The past few years have seen cybersecurity budgets increase and a greater emphasis placed on security and risk management. The extra funding for anti-phishing defenses is having a positive effect, although there is considerable room for improvement.

Source: Cofense

How Are Healthcare Employees Being Fooled by Phishers?

An analysis of the phishing email simulations that most commonly fooled healthcare employees reveals a mix of social and business emails. The type of email most likely to fool a healthcare employee was a requested invoice, followed by a manager evaluation, package delivery notification, and a Halloween eCard alert, all of which had a click rate above 21%. Emails about holiday eCard alerts, HSA customer service emails, and employee raffles also commonly fooled employees.

Data from Cofense Intelligence shows invoice requests to be one of the most common active threats, often used to deliver ransomware. 32.5% of healthcare employees were fooled by those emails in simulations and only 7.2% reported the emails as suspicious.

The Cofense report includes further information on the most commonly clicked phishing emails and advice for healthcare companies to help reduce susceptibility to phishing attacks. The Cofense Healthcare Industry Brief can be downloaded on this link (PDF).

The post Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency appeared first on HIPAA Journal.

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce.

The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail.

“IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST.

In the guidance document, NIST identifies three high-level considerations that can affect the management of risks that IoT devices can introduce. First, IoT devices tend to interact with the physical world in ways that conventional IT devices do not. Second, IoT devices cannot typically be accessed, managed, and monitored in the same way as conventional IT devices. Third, the availability, efficiency and effectiveness of cybersecurity and privacy controls are different for IoT devices than conventional IT devices.

Cybersecurity and privacy risks need to be addressed for the entire lifecycle of IoT devices and can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct attacks
  • Protecting the confidentiality, integrity, and availability of data stored on the devices
  • Protecting the privacy of individuals

The guidance document suggests various ways that the above goals can be met and the challenges that organizations may face achieving those goals. However, since IoT devices are so diverse, it is difficult for recommendations to be made that can be applied for all use cases, levels of risk and device types.

NIST is seeking public comments on the document and will be accepting feedback until October 24, 2018. The draft document can be downloaded on this link (PDF).

The post NIST Releases Guidance on Managing IoT Cybersecurity and Privacy appeared first on HIPAA Journal.

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

Posted by HIPAA Journal

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health.

The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study.

Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen as a result of hacking or IT incidents.

While the number of hacking and IT incidents continues to increase each year, the number of theft incidents has declined by two thirds since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare organizations transitioning to electronic health records and encrypting health data stored on portable electronic devices.

In 2010, the most common location of breached health data was laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are targeted by hackers.

The study covered healthcare providers, health plans and business associates of HIPAA covered entities. Healthcare providers experienced the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare providers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they resulted in the exposure of more records – 63% of all breached records between 2010 and 2017.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” said McCoy.

The high number of records exposed by health plan data breaches is largely due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches accounted for more than half of all exposed health records between 2010 and 2017.

The most serious healthcare data breaches involve records stored on network servers. There were 410 data breaches involving network servers over the period of study and they impacted almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.

“For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly,” said Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study.

The post Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017 appeared first on HIPAA Journal.