Researchers Find Health Data Breaches Are Steadily Increasing
April 15, 2015 in News
The number of large-scale health data breaches reported by physicians and health insurers has been steadily increasing, according a study by Kaiser Permanente published Wednesday in the Journal of the American Medical Association, Reuters reports.
Researchers reviewed data from HHS’ database of breaches of unencrypted health data that were reported by entities subject to the HIPAA. Such breaches include those affecting at least 500 people in which the data could be linked back to individual patients.
According to the study, there were nearly 1,000 large data breaches reported between 2010 and 2013 that affected more than 29 million individual health records. Researchers noted that more than 50% of the breaches resulted from loss or theft of:
- Paper records; and
- Thumb drives.
Most of the breaches involved individuals’ electronic health records.
Overall, the annual number of large breaches increased from 214 in 2010 to 236 in 2011, 234 in 2012 and 265 in 2013.
The percentage of breaches attributed to hacking more than doubled during the three-year period, accounting for about 12% of incidents in 2010 and 27% in 2013. However, such incidents comprised less than one-third of all large-scale reported breaches (Doyle, Reuters, 4/14).
Further, the researchers noted in the study that the number of electronic data breaches likely will continue to increase as the use of EHRs rapidly expands, along with increased adoption of:
- Cloud-based analytics services;
- Gene sequencing;
- Personal health records; and
- Other health-related technology (Colliver, San Francisco Chronicle, 4/14).
In order to increase data security, the researchers recommended that health care organizations and lawmakers take action to increase staff training and bolster security measures (San Francisco Chronicle, 4/14).
Meanwhile, the Commonwealth Fund’s David Blumenthal wrote in an editorial accompanying the study that health care organizations must change their “behavior” to correct inadequate security practices, such as failing to encrypt data and staff carrying unprotected devices outside of health care facilities. In addition, he noted that patients should inquire about the facilities’ security practices (Reuters, 4/14).
Verizon: Industry Continues To Struggle With ‘Age-Old’ Security Threats
While the health care industry has made progress in protecting data from certain threats, it has seen increases in many other security incidents, according to a report from Verizon, Healthcare IT News reports.
For the 2015 Data Breach Investigations Report, Verizon examined 234 health care security incidents and 141 confirmed data breaches (McCann, Healthcare IT News, 4/14).
Overall, the report found that the health care industry has experienced nearly double the number of cyber-related security threats of all other industries (Allen et al., “Morning eHealth,” Politico, 4/14).
In terms of cyber-related security incidents:
- Web application attacks accounted for 7% of incidents in 2015, up from 3% last year; and
- Denial of service attacks accounted for 9% of incidents, up from 2% last year (Healthcare IT News, 4/14).
However, health care data breaches largely occurred from “age-old” security threats, according to “Morning eHealth.”
For example, the report found that physical loss or theft, privilege misuse and other errors accounted for 66% of security incidents (“Morning eHealth,” Politico, 4/14). Specifically:
- Physical theft or loss accounted for 26% of incidents in 2015, down from 46% in 2014;
- Insider misuse accounted for 20% of incidents in 2015, up from 15% in 2014; and
- Miscellaneous errors accounted for 19% of incidents in 2015 (Healthcare IT News, 4/14).
The report also found that health care organizations discovered 59% of security incidents within days of their occurrence. However, 37% of incidents took months or years to discover (“Morning eHealth,” Politico, 4/14).
The Verizon researchers recommended that industries improve security incident information sharing:
- In real time;
- From machine to machine; and
- Across multiple sectors (Menn, Reuters, 4/14).