Will 2022 Be the Year that Ends Data Breaches in Healthcare?
Healthcare is arguably one of our fundamental human rights. As such, we not only seek the best available care, but we must ensure our personal data be available and protected. Today more than ever, it’s imperative that Health IT leaders invest in security, perform regular cybersecurity risk assessments and strive for secure interoperability. The future of the healthcare infrastructure relies on organizations to continue to do everything they can to protect the confidentiality, integrity, and availability of their patients’ health information.
Unfortunately, the increasing number of healthcare data breaches continues to be at the top of the news. Healthcare continues to be a primary target for cybercriminals due to vulnerability and the high value of healthcare data. Healthcare data breaches leak patients’ HIPAA-protected confidential records, and millions of people are affected. Data breaches have a detrimental effect involving long-term financial consequences, disruption to patient care, a decline in hospital productivity, and worst-case scenarios, death of one’s loved ones may occur.
On December 2, 2021, The leading provider of commercial healthcare intelligence, Definitive Healthcare, released a study announcing the largest healthcare data breaches in 2020 and 2021. Annually, the compilation of the largest data breaches is posted by the Secretary of Health and Human Services (HHS) and consists only of breaches of unsecured PHI affecting 500 or more individuals. All data breaches of unsecured protected health information must be reported to all of the individuals impacted, HHS, and, in some cases, the press. This reporting is commonly referred to as the “wall of shame.” HHS only reports data breaches from the following types of organizations: healthcare providers, health plans, business associates, and healthcare clearinghouses.
This year through mid-October 2021, there have already been 543 healthcare data breaches affecting 36 million records. Chuck Brooks, global thought leader in cybersecurity and emerging tech, published a Forbes article relaying “more bad news in 2021, according to the Identity Theft Resource Center (ITRC), the number of data breaches publicly reported so far this year has already exceeded the total for 2020, putting 2021 on track for a record year.” Before this year, 2015 had more than 112 million records breached, affecting the largest number of individuals in several years.
Experts believe that the current surge in ransomware and data breaches within the public health sector results from the Covid-19 pandemic. In 2020, there was an increase of 150 data breaches from 2019, and “out of the 663 healthcare data breaches in 2020, the top twenty account for nearly half, or 16 million, of the 33 million total individuals affected. The largest incident compromised over 3.3 million records and five breaches affected over 1 million individuals each,” according to Definitive Healthcare. The common sources of 2020’s healthcare data breaches consisted of the following: network server breaches (43.0%), email (36.0%), paper/film (13.7%), EMR (5.0%), desktop (3.0%), other portable electronic devices (2.6%), and laptop (2.4%). Over two-thirds of these healthcare data breaches were caused by hacking or IT incidents, the most common type of breach. As the number of ransomware attacks caused by hacking or IT incidents increases, the number of breaches caused by theft, loss, and unauthorized access/disclosure decreases.
However, it’s not just about data loss. Several studies, including The Impact of Ransomware on Healthcare During COVID-19 and Beyond, published by Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy, suggest that ransomware attacks on healthcare delivery organizations may have a significant impact on care delivery, including increased mortality rates. This risk is an essential concern for IT and security leaders in healthcare because patients’ lives are at stake. As a result, the healthcare industry must continue to transform cybersecurity by implementing broader risk management programs and automation.
There is undoubtedly much more work to prevent cybercriminals from disrupting patient care and costing the healthcare industry billions of dollars. As this year comes to an end, how will your organization transform its cybersecurity and risk management processes, resources, and technologies to protect patient data and care in 2022?
Ed Gaudet
CEO and Founder, Censinet