Cybersecurity – Health Care
Tag

Cybersecurity

Browsing

Over 41 million patient records were breached in 2019, with a single hacking incident affecting close to 21 million records.

Healthcare data breaches in 2019 almost tripled those the healthcare industry experienced in 2018 when 15 million patient records were affected by breach incidents, according to a report from Protenus and DataBreaches.net.

Protenus, a healthcare compliance analytics firm, analyzed data breach incidents disclosed to the U.S. Department of Health and Human Services or the media during 2019.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

There also has been an alarming increase in the number of breaches of patient privacy since 2016. Four years ago, there were 450 security incidents involving patient data, and that jumped to 572 incidents in 2019.

This number is likely to be a huge underestimate, as two of the incidents for which there were no data affected 500 dental practices and clinics and could affect significant volumes of patient records, Protenus reported.

There continues to be at least one health data breach per day, a trend Protenus first reported in 2016.

Here are three major cybersecurity trends Protenus found:

1. Hacking incidents surge

It appears hacking incidents, particularly ransomware incidents, are on the rise—hacking was the cause of 58% of the total number of breaches in 2019, impacting 36.9 million patient records

And one disturbing trend: Hackers are getting more creative in how they exploit healthcare organizations and patients alike.

In 2019, there were incidents of hackers attempting to extort money from patients whose records were exposed, not just the affected healthcare organization. In one incident in Florida, hackers sent ransom demands to a number of the affected patients, “threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met,” Protenus reported.

2. One massive data breach

The single largest privacy incident reported last year was a massive security breach at American Medical Collection Agency (AMCA), a third-party billing collections firm. At least four clinical labs, including Quest Diagnostics and LabCorp, were impacted by AMCA’s security breach which, to date, exposed the sensitive data of 21 million patients.

The breach was discovered when analysts discovered patient information including dates of birth, social security numbers and physical addresses, for sale on the dark web, according to Protenus.

In the aftermath of the breach, AMCA’s parent company, Retrieval-Masters Creditors Bureau, voluntarily filed for Chapter 11 bankruptcy protection in the Southern District of New York in June.  

3. Staff members pose major security risk

Staff members inside healthcare organizations were responsible for breaching 3.8 million patient records in 2019, up from 2.8 million records in 2018.

The report characterized insider incidents as either human error or insider wrongdoing, which includes employee theft of information, snooping in patient files and other cases where employees appeared to have knowingly violated the law. 

As one example, the report highlighted an incident where a nurse is suspected of gaining access to patient information and providing the data to a third-party for fraudulent purposes. It is estimated that 16,542 patients could have been affected over the course of almost two years before discovery. The investigation is still ongoing.

Phishing attacks also continue to plague healthcare. Hospital employee education and training to detect and not fall victim to such attacks are imperative to get ahead of the hacking incidents, the report said.

“Hackers are also using credential-stuffing attacks, making it increasingly important to train employees not to reuse passwords across work settings and personal accounts,” Protenus wrote.

NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services.

The company, which works with 75% of the 200 largest U.S. hospital chains, administers patient survey tools to hospitals.

The cyberattack was first reported by CNBC’s Chrissy Farr on Thursday.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

NRC Health works with 9,000 healthcare organizations, including Adventist Health, Jefferson Health, Cedars Sinai, Phoenix Children’s Hospital, Ochsner, and Providence Health, according to the company’s website. NRC Health collects data from more than 25 million healthcare consumers a year across the U.S. and Canada.

In a statement provided to FierceHealthcare, Paul Cooper, Chief Information Officer at NRC Health, said on Feb. 11 the company experienced a ransomware attack on certain computer systems and immediately shut down its “entire environment,” including client-facing reporting portals, to contain the issue.

“We also immediately launched an investigation with the assistance of a leading forensic investigation firm to determine the nature and scope of the incident and notified the FBI,” Cooper said.

Since last week’s attack, NRC Health has made “significant progress” in restoration to its systems and services to its customers.

The company anticipates full restoration in the coming days, according to Cooper.

Cooper said in his statement that there is no evidence, to date, of unauthorized access to or acquisition of any data from NRC Health’s systems, including protected health information or other confidential information.

The company started notifying its hospital customers with an email alerting them to the attack, according to CNBC.

Despite the company’s assurances, some hospitals notified of the cyberattack have raised concerns that private patient data was accessed, according to sources who spoke with CNBC’s Farr.

One health system CEO, who requested anonymity, said that they were concerned about hackers having access to confidential information about their hospital including its market share, Farr reported.

David Holtzman, executive advisor to cybersecurity firm CynergisTek said federal HIPAA Rules and many state laws hold health care organizations responsible for assessing and carrying out notifications to consumers when one of their vendors suffers a cybersecurity incident or ransomware event that compromises their unencrypted electronic protected health information (e-PHI).

“HHS’ Office for Civil Rights has issued guidance that when an intruder has gained access to an information system in which e-PHI is stored and has compromised the availability or integrity of the data, it is presumed to be a reportable breach,” Holtzman said.

Measures from patient satisfaction surveys are not only used for patient loyalty, but the majority of senior health care executives have compensation tied to patient satisfaction scores. Hospital reimbursement is also being directly affected by inpatient satisfaction ratings as a part of the Centers for Medicare and Medicaid Services (CMS) value-based purchasing program and private payer initiatives, according to the American Medical Association Journal of Ethics.

“With NRC’s systems shut down, one chief information officer at a hospital said that it’s been a ‘major source of irritation internally,’ because the systems are used to determine how much its physicians are getting paid,”  Farr reported. The executive requested anonymity because they were not authorized to speak about the attack

If private patient information was accessed, hospitals will need to notify their patients.

“Our resources are singularly dedicated to regaining full operability and investigating this matter to completion,” Cooper said. “NRC Health takes our customers’ information and security very seriously, and we have and will continue to share additional updates on progress with customers on a daily basis until the issue is completely resolved.”

A recent report from Protenus found that over 41 million patient records were breached in 2019, almost triple what the healthcare industry experienced in 2018. Incidents involving business associates impacted 24 million patient records.

One incident alone, a massive security breach at third-party billing collections firm American Medical Collection Agency (AMCA), exposed the sensitive data of 21 million patients.