Healthcare Breaches Reach All-Time High in 2016
A recent report by Bitglass has shown that data breaches were at an all time high last year, followed by a steep drop-off in early 2017.
Join the DZone community and get the full member experience.Join For Free
Despite Historic Volume of Breaches, Overall Number of Compromised Records Declines Year-Over-Year
I had the opportunity to speak with Salim Hafid, Product Manager at Bitglass about the results of a recent study that showed 2016 healthcare breaches hit an all-time high (328), surpassing the previous record set in 2015 (268). Records of approximately 16.6 million Americans were exposed as a result of hacks, lost or stolen devices, unauthorized disclosure, and more.
Keep in mind, this is just reported data breaches of 500 records or more. No one knows the number of unreported breaches which can be significant given companies' reticence to report a breach that will have a negative impact on the security perception of their brand.
Good news, however, is that the overall number of compromised records has declined for the second year in a row and early indications suggest that those numbers will continue to decline in 2017. These and other statistics are contained in the Bitglass 2017 Healthcare Breach Report.
The third annual Healthcare Breach Report aggregates data from the U.S. Department of Health and Human Services’ Wall of Shame – a database of breach disclosures required as part of the Health Insurance Portability and Accountability Act (HIPAA) – to identify the most common causes of data leakage. Bitglass explored the changes in breach frequency, as well as the preventative steps organizations have taken to limit the impact of each breach in 2016 and in the first quarter of 2017.
The key Bitglass report findings include:
Breaches hit all-time high – 328 U.S. healthcare firms reported data breaches in 2016, up
from 268 in 2015.
The volume of leaked records fell in 2016, on track to fall further in 2017 – 16.6 million Americans were affected by breaches throughout 2016, down significantly from 2015 even when excluding the massive Anthem breach.
Unauthorized disclosures now the leading cause of breaches – accounted for nearly 40 percent of breaches in 2016.
Hacking and IT incidents continue to pose the greatest risk – the volume of records that leak because of hacking is greater than all other breach events combined.
All five of the largest breaches were the result of hacking and IT incidents in 2016. To put that in perspective, 80 percent of leaked records in 2016 were the result of hacking. So far in 2017, the largest breach was the result of theft and the four next largest breaches were due to hacking.
“Breaches and information leaks are unavoidable in every industry, but healthcare remains one of the biggest targets,” said Nat Kausik, CEO of Bitglass. “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach event.”
According to Salim, awareness and education continue to be significant hurdles to be overcome in the industry, and as more companies move to the cloud, they will need to invest in cloud-side security.
Breach Costs Hit Record High
According to data from the Ponemon Institute, the average breach costs among U.S. companies is $221 per lost record, which is up from $217 per record in 2015. The cost per leaked record for healthcare firms topped $402 in 2016 – which is a massive cost given the number of records lost because of hacking-related breaches. Given the significant value of healthcare data – Social Security numbers, treatment records, credit information and more sensitive personal information – the cost of a breach to a hospital or health system can be devastating.
Why Healthcare Data?
Unlike credit card breaches, where limited liability laws offer some protection, victims have little recourse when subject to identity theft via personal healthcare information (PHI) leaks. Identity theft is not the sole use for this highly sensitive data – criminals can access medical care in the victim’s name or even conduct corporate extortion using PHI.
Under HIPAA, organizations dealing with PHI must implement several technical safeguards. Find details on how cloud access security brokers (CASBs) can help you achieve compliance and protect against cloud data breaches in the full 2017 Healthcare Breach report.
Opinions expressed by DZone contributors are their own.