Why breach prevention needs to move up executives’ priority list
The threat and occurrence of data breaches receive frequent attention in the healthcare industry. It often feels as though a new breach (or more) is reported on an almost daily basis. The significant rise in breaches also corresponds with the rise of electronic information from many sources. The general sense is being reinforced by studies and reviews as well.
A new analysis of data breaches conducted by researchers at Massachusetts General Hospital assessed breaches reported to the Office for Civil Rights (OCR) in the breach portal. The review dove into all reports from 2010 through 2017.
Because the review only included those breaches reported to OCR, it should come as no surprise that it certainly did not capture all breaches, since a fair number of breaches seem to slip by (whether deliberately or for some other reason) the required submission to OCR. Still, the reported breaches encompassed 2,149 incidents impacting 176.4 million records. Those are staggering numbers and mean that roughly half of the population of the United States has been subject to a data breach.
The researchers dove further into the numbers to determine which segment of the healthcare industry was the most frequent cause and which segment accounted for the largest breaches. In not unexpected results, almost 70 percent (1503) of the breaches occurred in the provider setting. However, health insurance plans account for 63 percent of all of the records impacted by a breach, despite “only” having 278 breaches.
Beyond the place of breaches, the source ranged from paper records and laptops earlier on to network servers and email more recently. Such a shift would seem to reflect where data reside more often now as opposed to 2010, at the beginning of the review period.
Overall, the research into breaches reported to OCR paints a pretty bleak picture of the state of security in healthcare. Records are at risk, and it seems as though not much is being done to address the issue. Further, the scope of attacks only keeps increasing, from the perspective of third-party bad actors, because healthcare is viewed as vulnerable. That assessment does not even touch upon the risk of insiders, who often leak smaller amounts of data at a time as opposed to a large breach that captures media attention.
With all of the real negative news, it can be difficult to find any silver linings or signs of hope. However, there are more public-facing efforts focusing on security and attempting to raise awareness of what should be done. Those include private organizations coming up with best practices or the efforts like the cybersecurity task force in the federal government, although that seems to have either filled its initial purpose or is just lying dormant.
Almost every health IT, legal or other conferences that will draw attendees from the healthcare industry includes security issues on the agenda. The opportunities are present to be reminded of, made aware of for the first time or otherwise informed about the importance of security.
Cybersecurity is ostensibly a top concern of executives as well. The annual top ten list from the Healthcare Executive Group includes cybersecurity as item number 10. While not as high as would be preferred because the other items on the list will command significant capital investments, at least cybersecurity is present. Inclusion suggests that executives want to improve security at their organizations or at least are being informed by those who are focused on the issue. Hopefully, the high-level attention will enable action.
However, attention is not the same as investment. All the talk in the world will not improve security if the right resources are not devoted to it. From the money perspective, a steady stream is likely necessary as one-off investments will not result in real security—there needs to be ongoing investment in keeping all systems up to date and responding as needs change.
Investment of resources means finding appropriate individuals to focus on security and not make it a side project or just a “fill-the-hole” approach. Obtaining and maintaining those resources will also necessarily involve monetary expenditures because people need to be paid.
The challenges are not new, nor are the calls to action. The question becomes when will security move to and remain near the top of the priority list. The call to action can only be made so many times, because questions invariably arise after a breach occurs.
If the threat of damage to reputation, loss of trust or any other negative consequence is not sufficient to spur action, what is? If there is an answer to that question, whoever can come up with it will have found a golden egg. All the same, it is not good to be pessimistic. Optimism always needs to remain or the game will be completely lost.