According to independent research by the Identity Theft Resource Center (ITRC), 259 Medical/Healthcare facilities experienced a data breach event between January 1 and October 14 of this year. That is a staggering number, given that ITRC reported a total of 28 events for the entirety of 2013.
What is happening in Healthcare?
I decided to do some additional research and here are 3 key lessons I learned:
1. Employees’ lack of security awareness accounts for as much as 81% of healthcare data breaches. The Privacy Rights Clearinghouse’s “Chronology of Data Breaches” tool allows you to search reported (note that many go unreported!) data breaches based on date, organization type and the type of breach.
The report categorizes breaches initiated by organizational employees and contractors as follows:
- Insider — Someone with legitimate access (such as an employee or a contractor) intentionally breaches information, such as an employee or contractor.
- Physical Loss — Lost, discarded or stolen non-electronic records, such as paper documents.
- Portable Device — Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
- Stationary Device — Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
- Unintended Disclosure — Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
To date in 2014, the report lists 48 breaches fitting the above criteria. In all, more than 230,000 records were exposed, as many as 81% of them inadvertently (i.e., not because an insider intentionally committed the breach). This points to the need for greater security awareness and procedural adherence among full-time and contract staff.
2. While far less common than employee-caused breaches, hack and malware attacks take a much larger toll on the organization. As noted above, the Privacy Rights Clearinghouse reported a total of 48 year-to-date, insider-based breaches compromising more than 230,000 records. In the same period of time, only 6 breaches occurred because of an IT network hack and/or malware intrusion. However, the largest of those 6 breaches (Community Health Systems in Franklin, TN) exposed 4.5 million records and prompted a class-action lawsuit.
But before you think the other guys got away easy, take note that these entities lost between 2,000 and 27,000 records each, and that one of the breached organizations—Montana Health Department—has never owned up to the number of records it actually lost.
According to a recent HealthcareInfoSecurity.com article, comprehensive medical records are a hot commodity on the black Internet. While each piece of personally-identifiable information (PII) contained within an individual medical record has some value, the entire record can enable fraud at a much grander scale. For example, a person could assume a stolen identity for a “free” surgery.
3. Large healthcare organizations aren’t the only ones getting breached. Here is just a partial list of the smaller Medical/Healthcare organizations appearing in the Privacy Rights Clearinghouse data breach report:
- Beachwood-Lakewood Plastic Surgery (August, 2014) — Computer hardware stolen in office burglary. The stolen hardware housed more than 6,100 patient names and personal health information.
- ManagedMed, Inc. (August, 2014) — For over a year, patient scheduling information was externally visible via an unsecured web page. The total number of patients compromised is unknown.
- Service Coordination, Inc. (March, 2014) — Hackers stole the social security numbers and protected health information of approximately 9700 clients. While discovered in October, 2013, the breach wasn’t reported until March, 2014, by request of the U.S. Justice Department.
- Eye Surgery Education Council (January, 2014) — Nearly 5,000 records were compromised after the ESEC’s network was hacked and sensitive information released on the internet. As of this writing, their website is down, “under maintenance.”
Hackers are hitting the little guys, so it’s important to have security buttoned up, no matter your size. While scanning the list, I also noticed a lot of hardware thefts due to office, home and car break-ins. You can properly secure the data contained on all portable and stationary hardware through password protection and data encryption.
Need more information on securing your business and complying with security and privacy standards such as PCI and HIPAA? Learn more about ControlScan|Health.
Be sure to subscribe to this blog for additional tips and webinar announcements.