Health Data Breach Tally – Lots of Hacks, Fewer Victims
Hacker attacks are still dominating the data breaches added to the official federal tally so far this year. But compared to the mega-breaches of past years, this year’s biggest hacks have been relatively small.
As of Monday, some 199 breaches affecting 3.9 million individuals had been added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, commonly called the “wall of shame.” The website lists health data breaches affecting 500 or more individuals.
By comparison, the 2015 cyberattack on Anthem Inc. affected nearly 79 million individuals. Plus, 2015 attacks against Premera Blue Cross, Excellus BlueCross BlueShield, and UCLA Health affected many millions more.
Why Are Mega-Breaches Now Rare?
……Adds Susan Lucci, a senior privacy and security consultant at tw-Security: “It is likely the big organizations have invested wisely in breach prevention strategies in a layered security approach. That way, there are multiple safeguards against intrusion.”
Smaller organizations that have not taken similar precautions, however, may still be at risk, she warns. “They should do everything they possibly can to heighten awareness internally among staff and invest in security strategies that make sense for the size of the organization. The reason here is that insider mistakes still provide the easiest access for cybercriminals.”
So what health data breach trends are on the horizon?
…..Lucci notes that hackers’ tactics are evolving. “New methods of attack are including malware embedded in an attachment like a PDF file. Even though there has been a heightened awareness with employees about not clicking on links included in emails, the new way in may be through a PDF file or other attached document,” she notes.
“This deploys malware when an unsuspecting employee opens the document. When we remind employees about phishing, we need to include statements with emphasis on not opening any attachments if the email isn’t from a trusted source.”
……While hacker attacks get a lot of attention, incidents involving unauthorized access appear to be rising over the last year on the wall of shame, Lucci notes.
“Hard to say why this is increasing, but the two most common are [records] snooping … and failing to shut down access to healthcare systems at the right time,” she says.
Organizations are discovering snooping “through normal and random audit processes and are cracking down on this type of privacy violation,” Lucci notes.
“Strong reminders and additional education should be provided for employees to deter the temptation to ‘look and see what happened,'” with patients, she says. But it’s not just employees who snoop.
“Remember that business associates may have access to critical systems, and pulling a list of recently terminated contracts should be reviewed against access,” she says. “This is a key security process that should be managed on a regular basis.”