– Most of the 2016 healthcare data breaches stemmed from hackers, with an overall increase in healthcare cybersecurity attacks of that kind rising 320 percent, according to recent research from Redspin.
Specifically, 81 percent of the breached records last year came from hacking attacks, the Breach Report 2016: Protected Health Information (PHI) found. There were also a total of 325 large-scale PHI data breaches, compromising 16,612,985 individual patient records.
Auxilio acquired Redspin in 2015, and then acquired CynergisTek earlier this year. Redspin then became part of Cynergistek’s portfolio.
For the report, Redspin analyzed information received and made public by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” CynergisTek Vice President Dan Berger said in a statement. “The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond.”
Ransomware attacks were just part of the overall amount of hacking attacks that affected healthcare in 2016. Overall, 96 healthcare providers reported PHI breaches of greater than 500 records due to hacking/IT incidents, the report showed, which is an increase of 320 percent over 2015.
There was also a year-over-year increase of 181 percent in the total number of health records breached in provider hacking attacks.
In total, there were 9,503,161 patient records affected in a healthcare data breach, stemming from a hacking attack, in 2016. In 2015, there were 5,249,675 patient records affected in the same type of incident.
These types of attacks exploited numerous vectors, including point of sale systems, phishing emails, and drive-by malware. The largest healthcare data breach in 2016 was at Banner Health, with approximately 3.2 million patient records affected.
“While these larger breaches are striking due to the number of patient records compromised, it is equally notable that most of the hacking attacks/IT incidents reported in 2016 occurred at ambulatory clinics,” the report authors noted. “It may be that these are ‘easy targets’ since many small practices lack the necessary IT security resources and expertise to implement effective security protections.”
The majority of PHI data breaches in 2016 – 77.8 percent – took place at healthcare providers, while health plans accounted for 16 percent. Business associates made up the other 6.2 percent of reported PHI breaches.
Redspin also highlighted the data breaches that did not come from hacking attacks. These included unauthorized access, theft, loss, or improper disposal. Researchers noted that regardless of the cause, privacy and security breaches will “erode trust” in EHRs, healthcare organizations, and the nation’s healthcare system.
For example, California Correctional Health Care Services had 400,000 individuals affected by a possible data breach in April 2016 that stemmed from a stolen, unencrypted laptop. The device was reportedly password-protected, but PHI may have been exposed for patients in the California Department of Corrections and Rehabilitation who were incarcerated between 1996 and 2014.
The report also noted the rise of ransomware attacks, and how these types of cybersecurity incidents could be especially devastating to healthcare organizations.
“By using ransomware, attackers effectively have lowered their operating costs (no need to exfiltrate data and find a buyer) and run less of a risk of being caught,” the report’s authors explained. “All they need is to identify targets that will face significant distress any interruption to the availability of critical data occurs. This has put healthcare providers squarely in the cross-hairs of cyber-attackers.”
Ransomware-as-a-service (RaaS) attacks could also be harmful to healthcare, as malware authors enlist “distributors” to launch the initial attacks and then share in any profits.
One of the more memorable healthcare ransomware attacks from 2016 was at Hollywood Presbyterian Medical Center, where the hospital paid $17,000 after a ransomware attack. Hollywood Presbyterian discovered the breach on February 5, 2016 after staff members reported issues accessing parts of the hospital network.
Full access to the EHR was complete on February 15, 2016, and the hospital said its records were completely cleansed of the malware and checked for adequate security standards.
“Healthcare cybersecurity has become an enterprise-level risk and should be managed like one,” the Redspin report concluded. “No longer the purview of IT, it is a cross-functional issue with far-ranging implications on operations, finance, legal, HR, procurement, reputation, and most importantly, patient care.”