Cybersecurity Monitor: July 2016

IN THIS ISSUE
A new Healthcare Breach Barometer reported that, in June, over 11 million patient records were reported as compromised, far more than any previous month’s total in 2016. Indeed, the June number was two and a half times greater than the first five months of 2016 combined. These numbers are undoubtedly a cause for concern within the healthcare industry. But our analysis of the Barometer leads us to conclude that a data security strategy that focuses primarily on technological solutions to external threats is overlooking a possibly equal threat to patient privacy: the mishandling of patient information by employees. The solution to this threat is robust internal communications on the appropriate handling of sensitive patient information.

HEALTHCARE DATA SECURITY NOT JUST A TECHNOLOGICAL ISSUE
The healthcare industry is no stranger to cyberattacks. A 2015 study found that healthcare organizations are twice as likely to suffer a data breach than those in other industries. Another study found that, between 1995 and 2005, healthcare organizations suffered more breaches than any other industry sector – accounting for 27 percent of all breaches. And this month, cybersecurity firm Protenus and DataBreaches.net launched a monthly Healthcare Breach Barometer (Barometer) with the startling find that, in June, over 11 million patient records were reported as compromised, far more than any previous month’s total in 2016. Indeed, the June number was two and a half times greater than the first five months of 2016 combined.

These numbers are undoubtedly a cause for concern within the healthcare industry. At the same time, the data reported in the Barometer also allow us a different perspective on the threat than we might get from the sometimes sensational media headlines.

First of all, if we focus on reported incidents instead of records compromised, then the number of incidents in 2016 has remained fairly consistent. From January to February, the number of reported incidents doubled – from 12 to 24. In April, the number jumped from 27 to 33 incidents. But in May and June, the number of incidents dropped back to 28 and 29, respectively.

Turning back to the number of records compromised, the Barometer allows that June may turn out to be an anomaly. Healthcare IT News, reporting on the Barometer, wrote in its lede, “The number of healthcare security attacks continues to grow with breaches of over 11 million patient records in June, more than any other month this year.” As we just noted, the Barometer shows that the number of incidents this year has not grown appreciably since February. Furthermore, both the Barometer and Healthcare IT News noted that one hacker accounted for more than 10 million of the 11 million records compromised in June. If we set aside those records as a possible anomaly, the remaining one million records, while still significantly higher than four of the first six months of 2016, are less than half the number of compromised records reported in March.

Finally, it is possible to conclude from the Barometer that hackers, while certainly a significant threat to the healthcare industry, perhaps are not the biggest threat. In fact, according to the Barometer, less than half (41.4 percent) of reported breach incidents in the first half of 2016 involved hacking. The majority (58.6 percent) involved either insider wrongdoing/human error (41.1 percent) or the theft/loss of electronic devices or paper records (17.2 percent).

Our analysis does not – nor is it intended to – belie the healthcare industry’s concerns about external intrusions, such as ransomware or outright data theft. Rather, the analysis leads us to advise that, in addition to technological solutions for securing patient data, a healthcare organization’s data security strategy also should include robust internal communications on the appropriate handling of sensitive patient information.