Several Factors Behind Rise in Data Breaches

Data breaches spiked dramatically in the second half of the year but some experts at AHIMA’s 2016 national convention in Baltimore suggest the apparent surge might be caused in part by improved reporting.

In October, Protenus released a data breach statistics report compiled from breach reports in the media and to federal agencies. The report found that there were more breaches per month in the second half of 2016, with an average of more than 39 incidents per month. The first half of the year saw approximately 25 breaches per month, according to Protenus.

The data is borne out by the experience of most organizations, says Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin. Insider threats, phishing, hacking, and ransomware have hammered the healthcare industry. It’s not only the sheer volume of attacks that’s increased, he says, but the diversity of them. New variants of malware and ransomware roll out as quickly as organizations can detect and protect against existing ones.

“Organizations just aren’t getting a break,” he says.

But earlier this year, the Office for Civil Rights (OCR) released specific guidance for hospitals on ransomware. Although the use of ransomware against healthcare organizations spiked this year, ransomware itself is not new and hospitals have long been at risk for it. As the industry struggled to mount an effective response, some questioned whether ransomware was a reportable breach. It was argued that because ransomware is not typically believed to access, copy, or export the files it encrypts, a ransomware infection is not a breach of protected health information (PHI). But OCR acted quickly and released guidance that made it clear that the presence of ransomware does represent a reportable security incident—and always has. The guidance may have prompted organizations to be more diligent in their reporting, says David Holtzman, JD, CIPP, vice president of compliance for CynergisTek.

“Are we seeing more breaches or the impact of OCR’s guidance over the summer that specifically provided a ransomware incident is a reportable breach?” he asks. “I think we’re starting to see some increased reporting.”

Both McMillan and Holtzman emphasized that the types of attacks organizations face are not in themselves new and organizations have the tools to strengthen security. Basic security measures, such as ensuring all software is kept up to date, will make an organization a tougher target to crack.

“There will always be some evolving and sophisticated malware or ransomware that will impact healthcare organizations, but we have tools available to us that meet many of the existing challenges,” Holtzman says.

Some organizations may need to address a basic lack of security measures. “They can address the lack of technology in their environment that creates a secure enterprise. We still don’t have enough hospitals that are employing things like next-generation firewalls, email, or web gateways that actually filter out a lot of the traffic,” McMillan says. “We don’t have folks employing advanced malware detection that use a behavioral analytics approach to identify anomalous behavior in the environment. They’re still relying on signature-based platforms that are, quite frankly, just not adequate.”

In the October 18 session Top Cybersecurity Threats Healthcare Must Tackle Now, McMillan discussed other steps organizations can take to improve security, such the use of passphrases rather than passwords. Healthcare organizations are a key part of the country’s vital infrastructure, he said during the session, yet the industry’s complacent attitude toward cybersecurity makes it highly vulnerable. Organizations must report security incidents in accordance with OCR’s guidance to help federal agencies understand and act on the threats to the industry, but organizations must do their part by following sound security practices.