Why Healthcare Should Sweat “The Small Stuff” When It Comes to Health Data Security

In the five years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data.  The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story.  In a 2012 report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

In the five years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data.  The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story.  In a 2012 report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

In March, the Ponemon Institute, an independent organization focused on the research of privacy protection and data security, calculated that data breaches are costing the healthcare industry roughly $5.6 billion annually ─ and the Identity Theft Research Center reported that in 2013 healthcare data breaches accounted for almost half of major incidents reported across all industries (the first time healthcare has topped their list).

While 2014 data shows a downward trend in total costs of data breaches to health systems, since 2010 the number of attacks on healthcare systems has doubled.

The Last 12 Months:

• The turbulent rollout of public health insurance exchanges with many questioning the amount of focus dedicated  to ensuring their security
• Discovery of the Heartbleed bug, which caused massive vulnerability across the Internet and sent millions of consumers scrambling to change their online login credentials
• The theft of 4.5 million patient health records from Community Health Systems (CHS) made possible by Heartbleed.  This was the second largest breach of health records ever in the U.S. and has many in the healthcare industry fearfully anticipating future attacks made possible by information stolen through the vulnerability
• Hackers successfully breach the Healthcare.gov website and leave behind malicious software.  Though no patient data was believed to be taken, many are worrying about further attacks as a new enrollment period approaches and the exchange is flooded with new patient information

Not all data breaches are achieved by web-based means, however.  Below are the seven incident categories for health data security breaches being tracked by HHS (Note that some incidents fall under more than one classification):

Note: HHS also specifies the location of the breach, listing desktop computers, emails, electronic medical records, laptops, network servers, other portable electronic devices, and paper as possible vehicles.

What are criminals stealing?

• Like the CHS incident, criminals are targeting social security numbers (which in turn are used to steal identities) and creating fraudulent credit cards, passports, and bank accounts
• In other instances, the goal is electronic Protected Health Information (ePHI) or Electronic Medical Records (EMRs) which provide criminals with the information needed to fraudulently receive healthcare services under the guise of being insured – an $80 billion per year problem for the public insurance sector alone

We’re intrigued by the implications of healthcare data breaches and where best-in-class solutions can emerge to mitigate risk as our society ages and Medicare ranks swell, and as the volumes of newly insured patients seeking care and the related flow of information accelerates.  While this is often not a major topic of conversation in healthcare circles, data security and data privacy vulnerabilities represent a tremendous systemic risk and are becoming more of a threat as health data continues to become digitized.  In an upcoming report, TripleTree will assess some other potential but less obvious consequences of healthcare data security issues.  Until then, let us know what you think.

Written with Spencer Evenson.