The cybersecurity threat faced by the healthcare industry has been widely reported as being at a critical level, yet data on the actual threat level is in short supply. A survey was recently commissioned by HITRUST – to investigate the actual threat level and this week a review of reported data breaches has been published on the matter.
The latest study was performed by staff at Kaiser Permanente, an integrated managed care consortium, based in Oakland, California. The study looked at the hacking incidents which occurred between 2010 and 2013, with the findings recently having been published in The Journal of the American Medical Association – JAMA .
The study shows that over the course of four years, hacking incidents involving Protected Health Information had almost doubled. In 2010, close to 5% of all data breaches involving HIPAA-covered data – and involving more than 500 individuals – were attributed to the actions of hackers or malicious software called malware. By the end of 2013 that percentage had risen to 9%.
Dr. Vincent Liu was the lead author on the report. He pointed out that deliberate attacks by hackers “are particularly dangerous because they can involve a high number of records” he also said that “Our study demonstrates that data breaches have been, and will continue to be, a persistent threat to patients, clinicians, and health care systems.”
According to the editorial in JAMA, the high number of data breaches now occurring poses a problem for the healthcare industry. It is feared that patients could be withholding important information about their health as they do not want that information to appear on their medical records out of fear that the information may be disclosed. While this is not a new problem, in light of the number of data breaches the issue could get much worse. This particularly applies to sexually transmitted diseases, HIV, substance abuse and mental health issues which may go reported and remain untreated.
According to the editorial, “Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States.”
Phishing Scams Pose High Risk of a HIPAA Breach
Attention may be currently focused on data breaches caused by “highly sophisticated attacks”; however in many cases data is exposed as a result of relatively simple methods. Phishing emails and other malware that trick healthcare professional into revealing their login information are a major risk. These emails can be highly realistic and can easily fool the unwary into divulging their personal account details. The data breach at Anthem was allegedly caused by malware that tricked users into revealing their login credentials.
While the threat of cyber attacks may be very real, and also on the increase, by far the largest cause of data breaches is the loss and theft of devices containing PHI, and accidental – or deliberate – disclosures by members of hospital staff. It is important that with all the media attention surrounding hacking incidents that other threats are not ignored.
Training should be provided to all staff to help identify email scams and phishing campaigns, and refresher training sessions should be conducted to keep HIPAA Privacy and Security Rules fresh in the mind of employees.