The American Hospital Association has a page on which they compile recent headlines related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Two news stories from fall 2016 reveal just how fiercely targeted and vulnerable the healthcare sector was leading into 2017, underscoring the importance of maintaining HIPAA compliance and otherwise following security best practices:
- "Cyberattacks on personal health records growing ‘exponentially’" – This article details a report from the Government Accountability Office (GAO), which in turn sourced its numbers from incidents reported through the Department of Health & Human Services Breach Portal operated by the HHS's Office for Civil Rights (OCR). In 2009, there were fewer than 135,000 records breached, according to the government data. In 2014, that number was 12.5 million. In 2015, it was up to 113 million.
- "Healthcare sector gets a near-failing grade on cybersecurity" – This article noted that almost two-thirds of the biggest hospitals throughout the United States did not demonstrate urgency in patching software with security updates. The piece noted that other industries such as energy and finance were better defended than healthcare -- which is part of the reason the segment was experiencing so many attacks. The other reason for the high volume of cybercrime efforts was the prize: electronic health records (EHR) often include financial data, such as credit card numbers and Social Security numbers.
Given the huge threat of a cyberattack and the lack of protections versus other industries with critically sensitive data or systems, it is not a surprise that 2017 again saw a laundry list of attacks that created nonstop headlines.
Top data breaches of 2017
These were a few of the largest breaches of 2017:
In March, an attack was waged against Mid-Michigan Physicians Imaging Center. The event marked the compromise of 106,000 records. Files of both current and former patients were potentially accessed when the network of the company's radiology center was infiltrated.
From April 13 through April 17, Florida provider St. Mark's Surgery Center was hit with a ransomware virus, making it impossible for the facility to access its own patients' records, including names, social security numbers, dates of birth, and medical data.
On April 20 and 21, attackers were able to get into Augusta University Medical Center through the email accounts of two staffers. This phishing attack was notable because the same organization was invaded via phishing in September 2016, just seven months prior. In fact, the second breach came only a month after AU completed its investigation of the first phishing compromise.
In June, ransomware attackers targeted and breached Pacific Alliance Medical Center, a Los Angeles provider, accessing 266,123 patient records.
On June 17, attackers invaded protected health information on the servers and workstations of Medical Oncology Hematology Consultants. A total of 19,203 patient records were impacted.
On June 26, New York's largest healthcare provider, Kaleida Health, realized that the email account of one of its employees had been accessed by an unauthorized user. The nefarious party was able to access 744 records, including the patient names, diagnoses, information about treatment, and other PHI. The compromise did not involve any payment information. As with the attack on Augusta University, this one was a follow up to an earlier phishing incident (May 24; exposing 2,789 patient records).
On July 25 and 26, a virus made it impossible for Arkansas Oral Facial Surgery Center to get into its own patient visit notes, medical images, and other key files. The cyberattack was rapidly detected but encrypted all PHI-containing images and files of patients who had been to the provider within three weeks before the breach.
In early September, at least tens of thousands and up to millions of health records were compromised through a MongoDB server of Bronx-Lebanon Hospital Center when a business associate failed to properly configure backup of rsync (an open source utility used to transfer and synchronize files within local and remote directories) backup. This attack was a similar effort to one on Emory Brian Health Center, also via a MongoDB server, that was revealed on December 30, 2016, and affected 200,000 patients. These attacks were part of a string of ransomware incidents in which 26,000 databases were wiped.
In early October, 18,470 patient records were accessed and possibly stolen from Henry Ford Health System.
Nature of 2017 HIPAA data attacks
Healthcare breaches increased significantly in 2017. While there were 327 breaches reported to the Office for Civil Rights in 2016, that figure rose to 345 in 2017, according to a January 2018 analysis. There was a more substantial rise in certain types of breaches, though – demonstrating a shift in focus among cybercriminals targeting PHI. There was a 25% rise in hacking and IT incidents, a year-over-year increase from 113 to 142. Phishing was becoming a bigger cause for worry as well, with email breaches up 60%, from 50 to 85 YOY.
In terms of types of IT breaches, ransomware was becoming a much more popular method among cybercriminals, according to the "2017 Healthcare Cyber Research Report". While ransomware only accounted for 19 of the large (500 or more records) breaches in 2016 reported to the HHS, the agency was notified of 36 large ransomware attacks during 2017. These numbers may look small, but they mean that ransomware was responsible for 25% of attacks described to the HHS as hacking or IT events. Actually, the six largest hacks of 2017 were all attributable to ransomware.
Read More: CMMS Helps Fix Gaps in ADA Compliance
HIPAA cybercrime was on the rise in 2017, and many healthcare organizations still had not implemented sufficient safeguards to protect against it; many sizable breaches resulted. This information suggests that the issue of security and compliance should be an even higher priority.
Beyond your own walls, be sure that any relationships you have with third-party technology firms are backed by sound business associate agreements, and that those partners are centrally committed to safeguarding your PHI.