Data breaches are on the rise, including those in healthcare, based on data from a just released report.
Beazley Breach Response (BBR) Services unit responded to 60% more data breaches in 2015 compared to the previous year, and healthcare was one of the top three fields with incidents. The other two were financial services and higher education.
In its report looking at more than 2,000 breaches, New York City-based Beazley said that the percentage of breaches that involved third-party vendors tripled during the time that was studied, to 18% of breaches in 2015. The unintended disclosure of records, such as when email was misdirected, accounted for almost one in four (24%) 2015 breaches. In 2015, 32% of all incidents were caused by hacking or malware.
"We saw a significant rise in incidents caused by hacking or malware in the past year," said Katherine Keefe, global head of BBR Services. "This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled."
BBR Services points out that hackers increasingly are demanding that healthcare organizations pay a ransom to be able to access their own records. Such breaches more than doubled among Beazley clients in 2015. Based on figures from the first two months of 2016, ransomware will increase by 250% this year, the organization projects.
Paul Nikhinson, privacy breach response services manager for BBR Services, says, "Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record."
The group recommends organizations take these five steps:
- Train employees about protecting personally identifiable information and protected health information. Train them to avoid falling for phishing attacks.
- Have a robust incident response plan that guide managers through a breach, from initial suspicion to forensic analysis, legal advice, customer communications, and PR assistance.
- Categorize potential data risks by threat level, to avoid over-reacting or under-reacting.
- Review your contracts carefully to ensure your patients’ data is protected with suppliers and vendors.
- Mobile devices, laptops, and thumb drives are most likely to be lost. Encrypt data. (We cover data breaches in our HIPAA Regulatory Alert, which is included for free in subscriptions to Healthcare Risk Management and Hospital Access Management. The next issue of HIPAA Regulatory Alert will cover how smaller violations usually cause more harm to individuals and have more negative impact on organizations’ public reputation. We’ll also explore only the second civil monetary penalty ever imposed by federal regulators for a HIPAA violation.)