Researchers Find Health Data Breaches Are Steadily Increasing

Researchers Find Health Data Breaches Are Steadily Increasing

April 15, 2015 | www.ihealthbeat.org
The number of large‐scale health data breaches reported by physicians & health insurers has been steadily increasing, according to a study by Kaiser Permanente published Wed in the Journal of the American Medical Association, Reuters reports.
Researchers reviewed data from HHS’ database of breaches of unencrypted health data that were reported by entities subject to the HIPAA. Such breaches include those affecting at least 500 people in which data could be linked back to individual patients.
According to the study, there were nearly 1,000 large data breaches reported between 2010 ‐ 2013 that affected more than 29 million individual health records. Researchers noted that more than 50% of the breaches resulted from loss or theft of Laptops; Paper records; and Thumb drives.
Most of the breaches involved individuals’ electronic health records. Overall, the annual number of large breaches increased from 214 in 2010 to 236 in 2011, 234 in 2012 & 265 in 2013.
The percentage of breaches attributed to hacking more than doubled during the 3‐year period, accounting for about 12% of incidents in 2010 & 27% in 2013. However, such incidents comprised less than 1/3 of all large‐scale reported breaches (Doyle, Reuters, 4/14).
Further, the researchers noted in the study that the number of electronic data breaches likely will continue to increase as the use of EHRs rapidly expands, along with increased adoption of Cloud-based analytics services; Gene sequencing; Personal health records; and Other health‐related technology (Colliver, San Francisco Chronicle, 4/14).
Recommendations – In order to increase data security, the researchers recommended that healthcare organizations and lawmakers take action to increase staff training & bolster security measures (San Francisco Chronicle, 4/14).
Meanwhile, the Commonwealth Fund’s David Blumenthal wrote in an editorial accompanying the study that healthcare organizations must change their “behavior” to correct inadequate security practices, such as failing to encrypt data & staff carrying unprotected devices outside of healthcare facilities. In addition, he noted that patients should inquire about the facilities’ security practices (Reuters, 4/14).
Verizon: Industry Continues To Struggle With ‘Age‐Old’ Security Threats ‐ While the healthcare industry has made progress in protecting data from certain threats, it has seen increases in many other security incidents, according to a report from Verizon, Healthcare IT News reports.
For the 2015 Data Breach Investigations Report, Verizon examined 234 health care security incidents & 141 confirmed data breaches (McCann, Healthcare IT News, 4/14).
Overall, the report found the healthcare industry has experienced nearly double the number of cyber‐related security threats of all other industries (Allen et al., “Morning eHealth,” Politico, 4/14).
In terms of cyber‐related security incidents:

• Web application attacks accounted for 7% of incidents in 2015, up from 3% last year; and
• Denial of service attacks accounted for 9% of incidents, up from 2% last year (Healthcare IT News, 4/14).

However, healthcare data breaches largely occurred from “age-old” security threats, according to “Morning eHealth.”
For example, the report found that physical loss or theft, privilege misuse, and other errors accounted for 66% of security incidents (“Morning eHealth,” Politico, 4/14). Specifically:

• Physical theft or loss accounted for 26% of incidents in 2015, down from 46% in 2014;
• Insider misuse accounted for 20% of incidents in 2015, up from 15% in 2014; and
• Miscellaneous errors accounted for 19% of incidents in 2015 (Healthcare IT News, 4/14).

The report also found that health care organizations discovered 59% of security incidents within days of their occurrence. However, 37% of incidents took months or years to discover (“Morning eHealth,” Politico, 4/14). The Verizon researchers recommended that industries improve security incident information sharing:

• In real time;
• From machine to machine; and
• Across multiple sectors (Menn, Reuters, 4/14).