Healthcare entities reported 45 data breaches in 23 states to the US Department of Health and Human Services (HHS) in April, marking the highest number of reported healthcare-related breaches in one month since the agency began tracking such incidents in 2010. The previous record was set in April 2018, when providers reported 42 data breaches to HHS.
“The number of breaches in April is quite concerning and reinforces the need for healthcare organizations to continue maturing and expanding their cybersecurity programs,” said Allyson Vicars, consultant and healthcare IT advisor with Advisory Board, a best practices firm serving the healthcare industry.
The 45 businesses and organizations, all covered by HIPAA, included 38 healthcare providers, six health plans, and one business associate. The most breaches were reported in California and Texas. About two-thirds of the breaches were hacking or IT incidents. Other breaches included loss, improper disposal, theft, and unauthorized access or disclosure of patient records.
One of the breaches involved theft of a desktop computer, electronic medical records, and paper and films from a dental practice in Alabama. Another was a hacking/IT incident involving email at an endodontic group in Oregon. Similarly, the email at a dental health plan and business associate in Ohio was compromised in March.
The breaches on average compromised the data of 30,000 people, though two each impacted more than 100,000 people. A ransomware attack at Doctors’ Management Service compromised the data of 200,000 people. Despite the larger number of breaches in April, though, March 2019 and April 2018 saw the data of more people compromised.
“As an industry, we have made strides in the past couple of years improving our technological stance and security processes. But as the data here alludes, the cyber threats we face continue to grow in sophistication and magnitude and become more difficult to combat,” said Vicars, who also noted the devastating consequences of these incidents on healthcare organizations.
“Not only is the immediate cleanup expensive to address, but class action lawsuits are now commonplace following a breach. And certain incidents, like ransomware, can halt clinical activity for hours and even days, which can continue to reverberate long after the attack,” said Vicars, adding that every healthcare organization needs a strong strategy to mitigate risks.
“You can’t eliminate cyber risk completely. Rather, the most progressive organizations have a well-funded and widely supported security program that matches their specific organizational culture and operational needs and ultimately is aimed at mitigating risk down to an acceptable level as set by the board of directors,” Vicars said.
Effective cybersecurity “isn’t just about having the best technology,” Vicars added. “A strong cybersecurity strategy requires inclusive governance, clearly defined and enforced policies, as well as continued education and process implementation across all areas of the enterprise.”
The Advisory Board recommends a crucial role for executives beyond the chief information officer and chief information security officer in this strategy. The board, for example, could ensure that mechanisms are in place to track security status and progress. The CEO, meanwhile, would include cybersecurity in due diligence of any M&A or partnership activity.
Also, the chief financial officer would ensure funding requests for security tools and services are vetted against a security strategy and roadmap. The chief operational officer would ensure that business continuity plans are in place, tested, and working well. And, the chief human resources officer would ensure that the necessary staff is in place to operationalize the strategy.