Presentation on Report to Chris Taylor
2
Data Breaches in the Healthcare Industry and Possible Solutions
Summary
Significant and severe data breaches in the healthcare industry have been happening for a very long time. Reports show that almost 250 million people were severely impacted by healthcare data breaches from 2005 to 2019. Out of these, over 157 million individuals suffered healthcare data breaches in the last 5 years. This indicates that the healthcare industry has seen the highest cases of data breaches compared to other industries. Some healthcare organizations have been educating and training their employees on data security awareness. But healthcare employees are still falling prey to hackers despite the training. Others are using encryption to protect patient data from unauthorized access, but they still face significant challenges implementing the security approach.
Annual cyber security risk analysis could be the most suitable solution to data breaches. Through this approach, an organization can identify potential threats and take necessary measures to prevent or mitigate them. The HIPAA Security Rule requires healthcare organizations to perform an annual cyber security risk analysis to detect vulnerability and review policy. Specifically, the Security Rule requires organizations to assess vulnerabilities and risks within their environment and implement appropriate and reasonable security measures to safeguard themselves against possible security threats.
The Problem
Advancement in communication and information technology has played a huge role in the healthcare industry. First, it has led to the development of electronic health records (EHRs). EHRs have enhanced patient care, improved patient participation, enhanced the diagnostic process, improved care coordination, and enabled quick access to patient data – all of which contribute to improved patient outcomes (Seh et al., 2020). Besides EHRs, the development of mobile health technology has given patients faster access to healthcare providers. It has also improved medication adherence and made remote patient monitoring easy and possible. The IoT (Internet of Things) has also played a huge role in health delivery. But there is a curse in every blessing. The use of EHRs, mobile health technologies, and IoT devices have become a huge source of data breaches in the healthcare industry. Due to security failures, software vulnerabilities, and human error, unauthorized users can sometimes access patient data, which can lead to theft, loss, or disclosure of sensitive patient data.
According to the Healthcare data breaches insights and implications report, almost 250 million individuals have been affected by healthcare data breaches from 2005 to 2019. Over 157 million people were impacted by healthcare data breaches in the last 5 years (Seh et al., 2020). Equally, over 6,355 data breaches have been recorded from 2005 to 2019. Out of these, the healthcare industry faced approximately 3912 data breaches (refer to figure 1). In 2018 alone, there were around 2216 data breaches recorded from 65 nations. Out of these, over 530 data breaches happened in the healthcare industry. In 2019 alone, there were over 2000 data breaches reported from over 80 nations. Out of these, the medical providers faced over 500 data breaches (Seh et al., 2020). In 2020, there is almost 600 data breaches in the healthcare industry (Statista, 2022). This is a clear indication that the healthcare industry has seen the highest cases of data breaches compared to other industries.
Figure 1: Data Breaches from 2005 to 2015 (Seh et al., 2020)
|
Name of Sector |
Number of Data Breaches |
Percentage (%) |
|
Education (EDU) |
671 |
10.55 |
|
Business-Financial (BSF) |
410 |
6.45 |
|
Business Retail (BSR) |
300 |
4.72 |
|
Healthcare (MED0 |
3912 |
61.55 |
|
Government and Defense Institutes (GOV) |
561 |
8.82 |
|
Non-Government Organizations (NGO) |
75 |
1.18 |
|
Businesses-Other (BSO) |
426 |
6.70 |
|
Total |
6355 |
99 |
Healthcare companies have implemented various measures to prevent data breaches. One is training and educating employees. But despite training, healthcare employees are still falling prey to hackers. Recent research discovered that hacking incidents (i.e., ransomware attack, malware attack, spyware, phishing, etc.) are the most common type of attack behind data breaches in the healthcare industry (Seh et al., 2020). Hackers can get access to valuable information, such as PHI (personal health information) and PII (personally identifiable information). This can cause a lot of damage to the parties involved. Other organizations are preventing healthcare data breaches through encryption. According to Abouelmehdi et al. (2018), data encryption can be efficient in preventing unauthorized access to valuable data. Although different encryption algorithms have been created and implemented quite well, some organizations are yet to know how to choose the right encryption algorithms. Also, encryption does not prevent all forms of data breaches.
A Potential Solution
Statistic from National Library of Medicine shows that the best way to overcome healthcare data breaches is to conduct a cyber-security risk analysis. The process entails assessing security risks to information devices, health systems, and patient data. Security risk analysis also entails prioritizing possible threats. Once an organization has completed the analysis, it will know where to allocate resources to prevent data breaches. Besides that, the organization will know which healthcare systems to prioritize should a data breach happen. This would allow the organization to continue operating with little or no disruption.
A healthcare organization can use the quantitative approach to calculates the numeric values associated to each part that results after a rick evaluation see figure 2. The key role of the information security audit is to evaluate the effectiveness and ability of control measures and information system architecture (Kuzminykh et al., 2021). Security risk analysis is a vital element of an information security audit. Through the analysis, an organization can identify potential threats and take necessary measures to prevent them.
Figure 2: Quantitative Analysis
Several regulatory frameworks stipulate the need for cyber security risk analysis. For instance, the HIPAA Security Rule requires healthcare organizations to perform an annual cyber security risk analysis to detect vulnerability and review policy. Specifically, the Security Rule requires organizations to assess vulnerabilities and risks within their environment and implement appropriate and reasonable security measures to safeguard themselves against possible security threats. The Security Rule does not recommend a specific security risk analysis method. It recognizes that methods will differ depending on the size, capabilities, and complexity of the organization (HHS, 2019). Instead, the Security Rule recognizes security risk analysis as the most important element in achieving compliance. It also recommends various objectives that any method must achieve.
Summary
Data breaches are more prevalent in the healthcare industry. Every year, healthcare organizations suffer significant data breach incidents, involving confidential patient information. In 2018, there were approximately 2216 data breaches recorded from 65 nations. Out of these, over 530 data breaches happened in the healthcare industry. In 2019, there were over 2000 data breaches recorded from over 80 countries. Out of these, the healthcare industry faced over 500 data breaches. In 2020, the healthcare industry suffered almost 600 data breaches. Hackers and cybercriminals can do a lot of harm with access to valuable information including PHI (personal health information) and PII (personally identifiable information). Healthcare companies have implemented various measures to address the issue of data breaches. One is training and educating healthcare employees. But despite training, healthcare employees are still falling prey to hackers. Other organizations are preventing healthcare data breaches through encryption. But this approach is still problematic for most organizations. Cyber security risk analysis could be the most effective solution to data breaches.
References
Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: preserving security and privacy. Journal of Big Data, 5(1), 1-18.
HHS. (2019). Guidance on Risk Analysis. Retrieved from: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Kuzminykh, I., Ghita, B., Sokolov, V., Bakhshi, T. (2021). Information Security Risk Assessment. Encyclopedia, 1, 602-617. https://doi.org/10.3390/encyclopedia1030050
Pascarella, G., Rossi, M., Montella, E., Capasso, A., De Feo, G., Botti, G., Nardone, A., Montuori, P., Triassi, M., D'Auria, S., & Morabito, A. (2021, July 8). Risk analysis in healthcare organizations: Methodological Framework and critical variables. Risk management and healthcare policy. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8275831/
Ronquillo, J. G., Erik Winterholler, J., Cwikla, K., Szymanski, R., & Levy, C. (2018, June 11). Health it, hacking, and cybersecurity: National trends in data breaches of protected health information. JAMIA open. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6951874/
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Ahmad Khan, R. (2020, June). Healthcare data breaches: insights and implications. In Healthcare (Vol. 8, No. 2, p. 133). Multidisciplinary Digital Publishing Institute. https://doi.org/10.3390%2Fhealthcare8020133
Statista. (2022). Healthcare data breaches in the U.S. from 2014-2020, by breach type. Retrieved from: https://www.statista.com/statistics/798588/number-of-us-healthcare-data-breaches-bytype/#:~:text=According%20to%20the%20data%2C%20the,breaches%20in%20total%20in%202020