What’s true in life is true in business: the best kind of mistake to learn from is someone else’s.
And buried in the hundreds of lines of data maintained by the Department of Health & Human Services, you’ll find plenty of lessons.
Stretching back to 2009, the department’s records tell the stories of lost or stolen laptops, leaked paper records, hackers breaking into servers, and employees accessing data that should have been beyond their reach.
Each entry in its database tells all but one of the essentials of any whodunit: who, what, where and how … just not why.
But there’s enough detail to be found in the department’s “Breach Portal” to make any healthcare organization think of preventative measures, alternative approaches and different paths.
The Portal documents every “major” data breach by a healthcare provider, healthcare plan or business associate in the last seven years. “Major” is defined by any breach involving at least 500 confidential records.
So, what does the dataset say – and what are the key lessons?
The story of 2016 in three trends
Mine the data in the Portal and you can chart three notable trends:
- The number of cases per year
- The primary causes of breaches
- The number of records breached per year
Cases per year
Track back to 2011 and you’ll find 196 data breaches recorded in the Portal. Skip ahead to today, and you’ll find 302.
The story of the intervening four years is a jagged upward trend in the number of cases – it’s not a clear straight line on a chart – but a general upward progression with a spike in 2013-14. Nonetheless, the long-view suggests major data breaches are a growing problem. 2016 stands as a record year.
Year – Cases
2011 – 196
2012 – 209
2013 – 274
2014 – 207
2015 – 270
2016 – 302
Primary causes
The Department designates the primary cause of a breach against one of five broad categories: Hacking, Improper disposal, Loss, Theft, and Unauthorized Access/Disclosure. Inevitably, hacking grabs the headlines. But the data in the Portal suggests a bigger problem lies elsewhere.
In 2016, the primary cause of breaches broke down as follows:
2016
Unauthorized access/disclosure: 41.5%
Hacking: 31.8%
Theft: 19.0%
Loss: 5.4%
Improper disposal: 2.3%
Actions employees or associates accessing and sharing data they should not – or disclosing it to people they should not – was the single biggest breach factor this year.
Look a little further back, and different trends emerge.
2015
Unauthorized access/disclosure: 38.0%
Theft: 30.0%
Hacking: 21.4%
Loss 8.3%
Improper disposal: 2.3%
2014
Theft: 45.6%
Unauthorized access/disclosure: 26.4%
Hacking: 14.0%
Loss: 11.1%
Improper disposal: 2.9%
Looking at prior years, two trends become apparent. First, the rising trend in both insider disclosure and hacking. Insider breaches accounted for little more than a quarter of cases in 2014. This year, they account for 41%. Hacking was the primary cause behind 14% of incidents in 2014, but approaching a third of cases this year,
Second, there has been a sharp decline in theft as a primary cause of data breaches. Two years ago, theft was the biggest single factor – accounting for 45.6% of incidents. This year, the proportion has fallen to 19%.
This suggests that physical security of records – either stored in digital form or as paper files – has improved significantly in recent years.
But the lesson is clear: insider error and external hacking are growing, potent threats.
Records breached per year
If the number of cases per year reveal the number of organizations involved, the number of records breached represents the toll on patients. Healthcare records remain a tempting prize to those who seek to steal them.
Look in markets on the Dark Web and you’ll find them described as “fullz” – full dossiers of information – worth far more to criminals intent on fraud than usernames and passwords for email or social media accounts.
Often, the impact on the end-victim of a healthcare breach can be felt many months after the initial breach.
The data in the portal has two lessons.
First, the number of compromised records fell sharply this year compared to 2015.
- 2016: 15,223,075 records compromised
- 2015: 113,267,174 records compromised
Why? A single case in 2015 accounted for more than 70% of the total breaches that year: the Anthem hack of March 2015 compromised 78 million records.
However, look back further and 2016 compares less favorably.
- 2014: 5,158,517 records compromised
- 2013: 6,950,118 records compromised
- 2012: 2,808,042 records compromised
So, if 2015 illustrates the damage that one major breach can cause, the underlying story is the marked increase in 2016 compared to two or four years ago.
There has been a threefold increase in the number of compromised records since 2014 and a five-fold increase since 2015.
Forecast for 2017
If we follow the year-on-year increase from 2015, we could see more than 325 major breaches next year.
We’ll be within sight of one major breach in healthcare for every day of the year.
But the story in the statistics is that healthcare organizations face a real threat – and a growing threat – to their data from insiders accessing information and sharing it without authorization.
If it’s an internal threat, surely it can be managed and mitigated – much in the way that theft as a threat appears to have been since 2014?
The old proverb ‘Physician, health thyself’ seems appropriate here.
But that’s easier said than done.
The three-step solution
Ask healthcare practitioners why they entered their profession and the chances are they won’t say “to manage IT”. Their mission and vocation is providing the best possible medical care and patient outcomes.
There’s technology in the marketplace right now that can mitigate the primary risk of healthcare breaches: insider errors and misjudgements.
But the best technology doesn’t place a heavy burden on staff to learn new processes, adopt new workflows and tailor their activity to a system. It’s intuitive. Simple to adopt; easy to implement.
There are three steps towards a solution to the insider threat of data breaches: audit, implement and advocate:
1. Audit data security. Data tends to flow around an organization and into places you never intended it to go. That means files being saved onto laptops, attached to emails, even uploaded to the cloud rather than being stored securely. The first step is to work with an auditing partner who can assess where data lives in a business, how it’s being used, by whom and on what device. The audit is the first step to understanding weak points in internal process and working practices that needed to be strengthened.
2. Implement a Data Loss Prevention (DLP) solution. There’s no better way to mitigate the risk of data leaks than limiting access to confidential files – and preventing those files from being saved or sent places they shouldn’t go. That means having a technical barrier in place that prevents documents from being saved to external drives, screenshots being cut-and-pasted into emails, or data being uploaded to cloud storage or file sharing services. That’s precisely what DLP does.
3. Advocate security with contractors and partners. Every organization is part of a network of suppliers and partners. The Department of Health & Human Services is expecting business “associates” of healthcare providers to demonstrate data-safe working practices. You should expect that too.
So, whether it’s an IT contractor, marketing agency, maintenance or facilities service, healthcare providers should demand the highest standards of data security from their partners.
The end of one year and the start of the next is the perfect time to check.
So, what will happen in 2017?
This time next year, what story will the dataset in the Portal tell?
More cases? Our forecast suggests so.
More records breached? That depends on whether or not we will see a repeat of the single, large-scale breach of the kind that happened in 2015.
The insider threat continuing to grow?
It’s within the power of healthcare organizations to write their own end to that tale.
[su_box title=”About Luke Walling” style=”noise” box_color=”#336588″][short_info id=’97533′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.