News Feature | March 3, 2016

2015 Breach Report On The State Of Cyber Security Released

Christine Kern

By Christine Kern, contributing writer

Security

Over 100 million patient records were affected by large scale hacking attacks last year.

 Data breaches and other large scale hacking attacks dominated the healthcare cyber security scene in 2015 according to a Redspin. In Breach Report 2015: Protected Health Information (PHI) , the sixth annual analysis of the causes of PHI breaches reported to the Department of Health and Human Services (HSS), Redspin found the PHI breach landscape saw some startling changes.

“2015 was a watershed (or perhaps a ‘washout’) year in healthcare IT security,” notes the report. “In previous reports we warned that ‘the threat from malicious outsiders — hackers — has the potential to wreak havoc on the healthcare industry.’ In 2015, havoc was wrought.”

Reporting of large breaches of PHI is mandated by the HITECH Act which states breaches of more than 500 records must be reported in a timely fashion to the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS).

According to Redspin, unlike previous years where the primary cause was the loss or theft of unencrypted portable computing devices, PHI breaches were overwhelmingly the result of hackers with hacking factoring in nine of the 10 largest breach incidents. Those incidents led to the compromise of 98.1 percent of all patient records breached in 2015. Daniel W. Berger, President of Redspin, said, “Healthcare organizations are under attack. For those entrusted to protect patient data, the security challenges are now that much more difficult.”

The report also found there was an 89.7 percent increase in records breached in 2015 vs. 2014, and 88.2 percent of all records breached resulted from the top three incidents of 2015. Last year’s single-largest incident, which was also the largest healthcare breach in history, involved 78,000,000 records. In all, there were 258 large breaches of PHI in 2015 with a total of 113,208,516 patient health records breached. Approximately one of three American has had their personal health information breached as the result of security flaws or human error since 2009.

PHI commands a high price on the black market because it is rich in demographics and other sensitive and valuable information, including insurance information and prescriptions. And unlike credit card numbers or other financial data, once PHI is stolen, it cannot be canceled or recovered, leading to medical ID theft or fraud in the wrong hands.

Phishing also played a major role in many of the 2015 hacking attacks, according to the Redspin report. “Phishing attacks exploit natural human tendencies like curiosity and helpfulness, often with devastating consequences,” explained Berger. Once the malicious hackers access network credentials, they use them to locate and pilfer PHI databases.