Data at Risk: Exposure from Breaches

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The threat and occurrence of data breaches receive frequent attention in the healthcare industry. It often feels as though a new breach (or more) is reported on an almost daily basis. The significant rise in breaches also corresponds with the rise of electronic information from many sources. The general sense is being reinforced by studies and reviews as well.

A new analysis of data breaches conducted by researchers at Massachusetts General Hospital assessed breaches reported to the Office for Civil Rights (OCR) in the breach portal. The review dove into all reports from 2010 through 2017. Since the review only included those breaches reported to OCR, it should come as no surprise that it certainly did not capture all breaches, since a fair number of breaches seem to slip by (whether deliberately or for some other reason) the required submission to OCR. Still, the reported breaches encompassed 2,149 incidents impacting 176.4 million records. Those are staggering numbers and mean that roughly half of the population of the United States has been subject to a data breach.

The researchers dove further into the numbers to determine which segment of the healthcare industry was the most frequent cause and which segment accounted for the largest breaches. In not unexpected results, almost 70% (1503) of the breaches occurred in the provider setting. However, health insurance plans account for 63% of all of the records impacted by a breach, despite “only” having 278 breaches. Beyond the place of breaches, the source ranged from paper records and laptops earlier on to network servers and email more recently. Such a shift would seem to reflect where data reside more often now as opposed to in 2010 at the beginning of the review period.

Overall, the research into OCR reported breaches paints a pretty bleak picture of the state of security in healthcare. Records are at risk and it feels as though not much is being done to address the issue. Further, the scope of attacks only keeps increasing from third-party bad actors because healthcare is viewed as vulnerable. That assessment does not even touch upon the risk of insiders, who often leak smaller amounts of data at a time as opposed to a large breach that captures media attention.

With all of the real negative news, it can be difficult to find any silver linings or signs of hope. However, there are more publicly facing efforts focusing on security and attempting to raise awareness of what should be done. Those include private organizations coming up with best practices or the efforts like the cybersecurity task force in the federal government (though that seems to have either filled its initial purpose or is just lying dormant). Almost every health IT, legal, or other conferences that will draw attendees from the healthcare industry includes security issues on the agenda. The opportunities are present to be reminded of, made aware of for the first time, or otherwise informed about the importance of security.

Cybersecurity is ostensibly a top concern of executives as well. The annual top ten list from the Healthcare Executive Group includes cybersecurity as item number 10. While not as high as would be preferred since the other items on the list will command significant capital investments, at least cybersecurity is present. Inclusion suggests that executives want to improve security at their organizations or at least are being informed by those who are focused on the issue. Hopefully, the high-level attention will enable action.

As hinted though, attention is not the same as investment in both money and time. All the talk in the world will not improve security if the right resources are not devoted to it. From the money perspective, a steady stream is likely necessary as one-off investments will not result in real security. Instead, there needs to be ongoing investment in keeping all systems up to date and responding as needs change. Investment of resources means finding appropriate individuals to focus on security and not make it a side project or just a “fill the hole” approach. Obtaining and maintaining those resources will also necessarily involve monetary expenditures because people need to be paid.

The challenges are not new nor are the calls to action. The question becomes when will security move to and remain near the top of the priority list. The call to action can only be made so many times as well being publicly called out when a breach occurs. If the threat of damage to reputation, loss of trust or any other negative consequence is not sufficient to spur action, what is? If there is an answer to that question, whoever can come up with it will have found a golden egg. All the same, it is not good to be pessimistic. Optimism always needs to remain or the game will be completely lost.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.