Healthcare Data Breaches: Their Frequency, Impact, and Cost
Print this Article | Send to Colleague
Pat Stricker, RN, MEd
Senior Vice President
TCS Healthcare Technologies
History and Statistics of Data Breaches
There has been a lot of news lately about data breaches in political organizations, national security agencies, businesses, financial institutions, social networks and healthcare companies. With each breach, confidential data (personal, financial, medical, intellectual property or trade secrets) is stolen, viewed, or used by unauthorized individuals. While this had been a problem when records were paper-based, the number of records stolen or exposed was smaller. Once the data became digitalized in the late 1980s and early 1990s, it became a much bigger issue, since large numbers of records could be compromised more easily.
In 2012, the Computer Science Corporation predicted that by 2020 data production would be 44 times what it was in 2009 (a 4,300% increase). They also predicted that one-third of all data would live in or be passed through the cloud. Well, it’s only 2019, and we may have already exceeded that prediction with the amount of data that is generated each date. 90% of the data was generated between 2013 and 2015 alone. That means that the other 10% was generated since the beginning of time. That is unbelievable! How is that possible? How will we ever be able to handle this exponential increase in the volume of data in the coming years?
By the early 2000s, data management and privacy had become a big enough issue that laws and regulations were enacted to create guidelines for the handling, storage and protection of sensitive data. Examples of these include HIPAA for healthcare and PCI for payment card financial data. Most databases that track breaches cover the years from 2005 onward, since that was the time data started to grow exponentially, allowing hackers more opportunity to steal massive amounts of data in a single breach. In 2005 alone, 136 data breaches compromised 55,101,241 records, according to the Privacy Rights Clearinghouse (PRC), a non-profit organization committed to protecting privacy for all by educating and empowering individuals and advocating for positive change.
PRC provides a database that tracks data breaches reported in the United States by government agencies or verifiable media sources. This searchable database is available for everyone to use for research purposes and is sortable by type of breach and/or organization and by year. The data can also be downloaded as a CSV file. PRC’s data shows that there have been 8,804 reported breaches in the U.S. since 2005, exposing over 11 billion (11,575,804,706) records. Reporting to the Clearinghouse is voluntary, so it does not capture all breaches. Therefore, it is not a comprehensive compilation of breach data, so the actual number of breaches and total records affected is obviously higher.
Statista, another company that reports data breaches, reports that the number of cyber-attacks continues to rise. In 2005 they found that 157 breaches exposed 66.9 million records, while in 2014 the numbers had risen to 783 breaches exposing at least 85.6 million records, a nearly 500% increase in the number of breaches in just 9 years. And in 2012, three years later, the number of breaches nearly doubled to 1,579. From 2013 to 2015, 90% of healthcare organizations had at least one data breach.
The statistics vary by company depending on the type of data it collects, but the consistent element is that even though there has been an immense amount of time and effort spent on trying to protect the data, the number and size of breaches continues to rise, as shown in the graph at this link:
The Statista numbers in the graph are only for the United States. The Gemalto Breach Level Index reports worldwide data showing there has been more than 14 billion records (14,717,618,286) lost or stolen since 2013 when the digital security company started collecting data.
Unfortunately only 4% of the breaches were “secure,” meaning the data was encrypted and therefore useless. The other 96% contained data that was not encrypted, so the data was able to be viewed and used by the hackers.
The Breach Level Index website also has other valuable statistics such as industry breach details, a map view of where the breaches occur, a breach risk calculator, and other privacy information.
A recent 2018 Ponemon Report found that data breaches in the U.S. cost an organization an average of $7.91 Million, which is an average of $148/record. The costs include investigation, notification, and remediation. There is also a cost due to the loss of reputation if the data breach is large or could/should have been avoided.
The annual Verizon Data Breach Investigations Report (DBIR) is a respected, detailed, statistical report that includes data from 86 countries and input from 73 data sources. Working closely with the Secret Service’s Cyber Division, the team analyzes the available data to determine the threat landscape, identify the ever-changing threats and recommend actionable techniques, tools, procedures, strategies and best practices to prevent breaches and mitigate risks. The entire 2019 Data Breach Investigations Report and Executive Summary contain a great deal of detailed information for those who need it.
No company or organization is immune to a data breach. All companies possessing sensitive data are under a constant threat. The most likely targets for breaches are government, financial, and healthcare industries. Although the rankings change from time to time, the accommodation and retail industries round out the top five most threatened industries, according to the DBIR, although the social media industry is becoming more threatened in the last few years. For purposes of this article, we are only going to discuss the healthcare industry in detail.
Data Breaches in Healthcare
Breaches within medical organizations accounted for about 26% of all breaches in 2016, and almost one in four Americans have had their medical information compromised. Financial gain is the main motivator for hackers because healthcare records are highly valued for their personal, financial and medical data. This type of information is worth roughly 50 times more than credit card or Social Security data, since it can be used for Medicare fraud – the most profitable type of identity theft. In fact, the co-author of the 2014 Data Breach Investigation Report stated that some employees found jobs in healthcare for the sole purpose of stealing patient information to commit identify theft or tax fraud. Not only can this be used by the hackers, but the records can be easily sold to others because of this valuable data.
Breaches also have a significant impact on patients, making them mistrust the system and withhold information: 61% resulted in exposure of personal information and embarrassment; 56% resulted in financial identity theft; and 45% resulted in medical identity theft.
Healthcare employees are responsible seven times more often than employees of other industries for breaches caused by human errors (33.5%) and/or careless actions such as:
- Inappropriate conversations
- Misuse or carelessness in handling emails, mail, and other hard copy documents
- Leaving a computer screens or hard copy records unattended and visible to others
- Sharing passwords with others or not logging off a computer when not in use
One of the biggest threats posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information to access email or cloud accounts to get patient data. The links or documents can also plant malware within the computer system or network which can lead to more serious network problems or system stoppages. These are usually innocent acts, but very consequential to the organization. Employees have been terminated due to this type of error, if it was done against normal company policies. We will discuss “phishing” and how to be aware of the dangers in more detail next month.
Insider threats are also a bigger issue for healthcare organizations than for other industries. 56% of healthcare threats come from inside the organization and are caused by the ability to gain access to records that are not necessary for business use or patient care or by credential theft. However, there are user-based risk mitigation tools available that will detect if an employee connects to an unauthorized device or uses suspicious software and immediately notify the security officer. After the incident, it allows the employee’s actions to be analyzed and records can be exported to a protected file for further investigation.
A Data Breach Investigations Report analyzed more than 1,300 data breaches involving 20 industries and found that the Top 3 Security Threats to the Healthcare Industry were:
- Insider misuse by employees or trusted third parties who intentionally or unintentionally stole data or damaged a system. Employers consider employee negligence their biggest security risk. Based on the 2018 Ponemon Benchmark Study on the “Cost of Insider Threats,” incidents involving a negligent employee cost the company an average of $283,281, while the cost is usually double that if it involves a thief who steals credentials. However the company also shares the responsibility because it should be auditing to identify who is inappropriately accessing patient data.
- Unintentional actions that directly compromised patient information were found to be the cause of 12% of the security incidents. Examples included: inserting one patient's information into another patient's record or envelope; provider websites that allow patients' information to be available to the public; and decommissioning computers or medical devices without properly removing patient information (“rendering PHI unusable, unreadable, or indecipherable”).
- Healthcare was the only industry that had theft and loss as a major cause of security incidents. Theft and loss of laptops and other equipment accounted for 46% of the security incidents. The high percentage was attributed to the fact that encryption was not being done. If lost or stolen devices had been encrypted, they would not have had to report the incident as a breach, because the data would have been considered “secure.”
The most drastic healthcare breach of healthcare data was the Anthem medical data breach in 2015 that affected 78.8 million people — more than the whole population of Germany. Not only was the number of affected records extremely high, but the data exposed contained very detailed, sensitive personal information: names, contact information, social security numbers, email addresses, home addresses, and income information. As a result, Anthem was fined a total of $115 million.
The HIPAA Journal reported that between 2009 and 2018 there were 2.546 healthcare data breaches that involved more than 500 records resulting in the exposure of 189 million (189,945,874) records. That is equal to about 59% of the U.S. population.
Data Breach Defense and Prevention Resources
So what can we do to prevent a data breach or to mitigate our risk? Data breach defense and prevention resources have increased drastically over the past few years because of the ever-increasing number of security threats. These solutions offer a proactive approach to security to help ensure the safety of sensitive information. The following resources are offered to allow a more detailed review of breach prevention.
o Data Breach Today -- a multimedia news resource on the latest data breaches, their impact, and strategies for prevention
o Data Breach Watch – a resource reporting data breaches, news, and trends impacting consumers and companies
o The Global Privacy & Security Compliance Law Blog – a resource that explains stringent and ever-changing security regulations and compliance requirements
o The New York Times article — discusses strategies for minimizing the risk of a data breach. One suggestion is to eliminate unnecessary storage of data. Keeping lots of sensitive information may be more risky for the customer and company than not keeping the data. Target’s storage of their customers’ four-digit personal identification numbers or PINs for the debit cards is a good example of data that was not necessary.
o Data Breach Industry Forecast for 2018 – The 5th annual Experian report that provides an overview of data breach trends and the need for a data breach response plan.
o Resources from Digital Guardian -- cover data breach topics and provide insight into preventing and responding to breaches.
-Steps to Take After a Data Breach -- Data security experts share important next steps following a data breach
-Cost Effective Ways a Startup Can Protect Themselves -- Data security experts share cost effective ways to protect oneself from a data breach
o Cybersecurity Awareness Kit -- 35 data protection tips, an infographic on oversharing, an infographic to recognize and avoid phishing attacks, and links to 3 additional resources on personal security
o Digital Insider Blog -- Updates on the latest data security information, research, and discussions
o Resource Center – Selection of analyst reports, case studies, data sheets, and other resources on data breach prevention and data security
Conclusion
While the information technology team may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts healthcare and the privacy of our patients, and what procedures we need to follow to assure safe security practices. While nurses may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in healthcare today and how that affects our role. Threats are becoming more sophisticated while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date and include commonly accepted practices.
Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of healthcare, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or healthcare facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax or text and it can be accessed by multiple people from computers, laptops, mobile devices and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives and smartphones. While we do have security procedures to try to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.
Given these widespread incidents of cyberattacks, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? While there is no way to totally stop cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate (and monitor) employees regarding their role in cybersecurity.
Healthcare organizations have a challenging uphill battle to modernize systems and reduce risks, but it can be done. We have had almost 15 years of data breach research, which has increased our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time and money to develop, maintain, monitor and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.
Now that we have looked at the causes and impact of cybersecurity, next month’s article will focus on specific, practical things we, as nurses, can do to help improve cybersecurity and assure we are not the individual responsible for a devastating and costly data breach.
Pat Stricker, RN, MEd, is senior vice president of Clinical Services at TCS Healthcare Technologies. She can be reached at pstricker@tcshealthcare.com.