The common source of healthcare data breach data is HHS Office for Civil Rights Breach Report. Although it is an important source of data to know the developments in data breaches, the Breach Report has limited scope since it merely shows data breaches impacting five hundred or more persons.
In addition, when covered entities and business associates utilize the Breach Portal to send a breach notification, they could just choose one “Type” of the breach (such as Improper Disposal, Hacking/IT Incident, Unauthorized Access/Disclosure, Loss, or Theft). Sometimes, the “Types” don’t correctly show the reason for the breach, and the nearest choice is picked.
As a result, statistics taken from the Breach Report state the majority of the story, however, not all of it. Sometimes, this could result in misinterpretations of the information, which can make security teams spend resources on incorrect security measures.
Why Concentrate on Hackers and Health Data?
The reason behind the focus on hackers and health data is that, at first glance, the volume of reported Hacking/IT Incidents impacting over five hundred people has grown considerably in the last 10 years. This has resulted in some surprising news on Health IT web pages, which could affect how security resources are spent.
Looking at Information about Hackers and Health Records
There are various reasons for the higher number of reported Hacking/IT Incidents aside from an actual rise in Hacking/IT Incidents. These include the fact that security teams and technologies have become better at identifying hacking incidents and that statistics include ransomware attacks even when no data breach has happened.
Nevertheless, one probable reason for the big rise in the number of reported Hacking/IT Incidents involving over 500 people is that databases have become bigger since healthcare companies started using the cloud and mixing PHI from on-site databases to a central cloud database.
How the Smaller Data Breaches Compare
Though HHS doesn’t post online the reported data breaches impacting less than 500 people, the breaches are included in HHS’ Annual Reports to Congress. Presently, the Annual Reports for 2018 to 2021 can be found on the internet. From these reports came the report of Hacking/IT Incidents impacting less than 500 people.
Although it is vital not to acquire this small sample of information, and despite that 2018 might have been a great year for reported Hacking/IT Incidents impacting less than 500 people, there were more reported Hacking/IT Incidents in 2018 compared to 2021, and likewise more in 2019 compared to in 2020.
Sadly, the Annual Reports before 2018 are not available through the HHS web page; and, since the 2021 Annual Report to Congress was just sent in February 2023, it will take time before it can be known whether there will be an increase, decrease, or the same the number of reported Hacking/IT Incidents compared to those reported from 2018 to 2021.
Looking at the information about hackers and health records, it must not be ignored how health records held to ransom are included in the HHS’ Breach Report. In general, ransomware attacks are regarded as disclosures not allowed by the HIPAA Privacy Rule because of unauthorized persons possessing or controlling the information.
Whether a ransomware attack is a notifiable occurrence is a “fact-specific determination” based on HHS’ Ransomware Fact Sheet. Nevertheless, except if a covered entity or business associate can show a low likelihood that PHI is obtained or seen according to 45 CFR §164.402(2), (that is difficult to confirm in many ransomware attacks), the occurrence is notifiable.
When a ransomware attack is reported, the Breach Portal Help section states that just select Hacking/IT Incident when ePHI was impermissibly accessed via a technical attack. Nevertheless, although there might be no proof to indicate PHI was obtained or viewed, the probability can’t be excluded. Ransomware attacks are generally reported as Hacking/IT Incidents.
The Number of Hacking Events Due to Ransomware Attacks
When going over the Breach Report, readers have two choices: look at the cases presently being investigated or look at an archive of closed cases. The archive offers a description of what occurred for the majority of the closed cases, and by examining the descriptions, it is likely to determine how many incidents submitted as Hacking/IT Incidents are actually ransomware attacks.
To know the number of reported hacking events that should be attributed to ransomware attacks, the last 200 closed incidents with the event “Type” reported as a Hacking/IT Incident were examined. The result of the examination is as follows:
- 29% of Hacking/IT Incidents were due to phishing emails
- 33.5% of Hacking/IT Incidents were due to ransomware attacks
- 37.5% of Hacking/IT Incidents were due to unspecified cyberattacks
Sadly, the analysis is undetermined since, while doing the examination, several mis-categorizations were found. For instance, ransomware attacks are classified as “Theft” and phishing emails are classified as “Unauthorized Disclosures”. Furthermore, it is well reported that 91% of cyberattacks (which include ransomware attacks) begin with a phishing email.
Common Reasons for Healthcare Data Breaches
Further examination of the archive database, it’s likely to spot common reasons for healthcare data breaches that could help security groups better spend resources. Hence, it might just be required to enhance users’ toughness to phishing emails, but likewise to better protect connected EMRs and carry out steps to stop the wrong setup of cloud servers.
Going back, particularly to hackers and health records, it will shortly be required for healthcare security groups to adhere to CIRCIA (Cyber Incident Reporting for the Critical Infrastructure Act). The requirements of reporting under CIRCIA indicate that efforts to hack a database that contains PHI should be reported to CISA irrespective of whether the hack succeeds or not.
Although the more significant reporting requirements and the necessary detail will unquestionably be troublesome, they ought to bring about more correct and complete information regarding hackers and health record thefts, supporting security teams to better determine gaps in their security protection and better spend resources to deal with threats and vulnerabilities.
