Healthcare Breach Numbers Are Shifting, But The Question Is "Why?"
By Megan Williams, contributing writer
The Health Insurance Portability and Accountability (HIPAA) Omnibus Rule on breach notification requirements began two years ago, and many in the industry expected to see a jump in the numbers because of the new method of tracking breaches.
According to GovInfoSecurity.com, the U.S. Department of Health and Human Services (HHS) began keeping public record on its “Wall of Shame” website which currently lists 1,349 breaches affecting more than 154 million individual users over the last six years. In the first year after the Omnibus enforcement, there was a surge, but growth in the number of breaches has, for the most part, leveled off. Still though, “mega-breaches” are driving the numbers up in significant ways.
Since September 23, 2013, the number of individuals impacted has increased by a factor of five, while the total number of breaches has only doubled. In the last year, the total number of individuals affected tripled, while the number of breaches themselves grew by only about 19 percent.
The big breaches — specifically the 10 largest — in 2015 all involved hackers, with the top five accounting for more than 108 million impacted individuals. These include the cyberattack on Anthem (79 million individuals) and Premera Blue Cross (11 million individuals) and Excellus BCBS (10 million.)
Behind The Trends
According to privacy and security expert and founder of The Marblehead Group, Kate Borten, “We are seeing more big data breaches mainly because they are happening more often as cybercriminals recognize the commercial value of the data. While clarifying the breach determination process is likely to have resulted in more reported breaches, the fact is that there continue to be many more small and midsize breaches than large ones.”
Much of the change is due to the security incident reporting criteria now being much less subjective.
Where Your Clients Can Act
While improving anti-hacker precautions is essential, your client base can undoubtedly benefit from an increased emphasis around mistake identification and prevention. According to privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, “What is surprising to me is that we are not seeing overall reductions in the gross numbers of reportable breaches due to theft and loss of [unencrypted] media and devices. With the increased attention, awareness and availability of user-friendly, affordable encryption solutions, these types of breaches are eminently preventable. Yet, they continue to be occurring at an alarming rate.”
One of your primary obstacles in addressing your clients’ security issue could be a cultural misunderstanding that the days of low-dollar spending on security are still acceptable.
Dan Berger, CEO of security consulting firm Redspin, stresses a more modern approach to security concerns, “To combat this, first acknowledge the problem: Healthcare organizations currently under spend on security ... Those days are over. We recommend looking beyond the HIPAA security risk assessment to more direct security testing, such as penetration testing and social engineering.”
Going Forward
For information on using past breach information in communicating with your clients, please access the links below.