We all love sequels of our favorite movies. Unfortunately, when it comes to healthcare breaches, there is not much to love about the likelihood of a 2016 sequel to a record breaking 2015.
At the end of 2014, which was recognized as the “The Year of the Cyber Breach”, many industry leaders, including Third Rock, predicted 2015 to be the year of the “Healthcare Breach.” It didn’t take long to for the prediction to come true. By the end of the first quarter, an estimated 91 million healthcare records had been compromised – 11 times more than all the records improperly disclosed in 2014! And the total continued to climb throughout the year. Jason Hart, vice president and chief technology officer (CTO) for data protection at Gemalto, an international digital security firm, was quoted in a February 23rd SC Magazine article with some interesting and telling statistics.
• 58% of breaches were malicious outsiders or cyber criminals.
• 77% of breaches were in the United States. Only 12% were in Europe.
• Insiders accounted for only 14 percent of breaches and 7 percent of records exposed.
• Primary breach type was identity theft.
• Attackers are now focusing on healthcare and government as they are large targets with greater vulnerabilities.
Healthcare records are attractive targets for lots of reasons. The “success” in the theft of credit card data saturated the black market, depressing the value of stolen credit cards, so a healthcare record in now worth 50 times more on he black market than a stolen credit card. A healthcare record also contains all the information necessary to steal a person’s complete identity, making it possible for the thief to obtain car loans, lines of credit, and even healthcare. Finally, the new chip-on-card technology may have caused thieves to look for easier targets. Unfortunately, many healthcare organizations are still vulnerable.
There is no silver bullet that will end this cyber war. Clearly healthcare businesses must adopt more robust cyber security capabilities. It is no longer “if” but “when” a breach will occur. Businesses that generate, transmit, or store electronic Protected Health Information (ePHI) must adopt “defend and detect” capabilities by “hardening” existing defenses and implementing new breach detection capabilities to prevent data theft. Otherwise, 2016 will be a sequel no one wants to see!