AUSTIN, Texas—The 7th Annual Breach Report, an annual review of cybersecurity trends across the Protected Health Information (PHI) data category, reported that there was a 320 percent increase in the number of health care providers victimized by hackers in 2016.
In addition, 81 percent of records breached in 2016 resulted from hacking attacks specifically, and 2016 marked the first time a U.S. hospital was the victim of a ransomware attack, according to the report. Ransomware is defined as a type of malware that encrypts data and holds it hostage until a ransom demand is met.
CynergisTek, a cybersecurity and privacy consulting firm, publishes the Breach Report. The report is an analysis of breach data that is reported, as required by law, to the Department of Health and Human Services.
Among the other findings in the 21-page report:
- 325 large breaches of PHI, compromising 16,612,985 individual patient records.
- 3,620,000 breached patient records in the year’s single largest incident.
- 40 percent of large breach incidents involved unauthorized access/disclosure.
“While mega breaches of PHI remain entirely possible, a larger concern is that we’ll see new and different attack methods deployed that try to compromise the availability and even the integrity of patient data,” the report noted. “We would suggest that other third parties are also tempting targets, specifically mega data warehouses used by biomedical research, health information exchanges and meaningful use metrics.”
According to CynergisTek, one of the takeaways from the report this year is that the significant increase in hacking attacks, coupled with the quantity of patient records compromised in those hacks, is cause for concern among providers, who should be more proactive in their efforts to protect patient information assets.
All breaches of PHI must be reported “on a timely basis” to the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).
In an attempt to understand how enforcement might change under President Trump, the Breach Report notes that OCR “has remained very active in 2017, wielding its enforcement authority to investigate HIPAA breaches and, when appropriate, negotiating settlements with or imposing civil monetary penalties.”
Yet, the report noted that it is “still too early to tell how OCR will operate once the new administration” is more completely in place.
“The Executive Order to reduce the burden of regulations on business through a ‘repeal two government regulations for every one new regulation’ will undoubtedly impact health care. Expected government-wide budget cuts to domestic programs may ultimately impact the resources of OCR to carry-out enforcement activities, like investigations and the HIPAA audit program. However, it is unlikely that the existing health information privacy and security standards will be rolled back,” the report said.