Analysis: US healthcare data-breach investigations skyrocket

The number of data breaches under investigation more than doubled from 2018 to 2019, according to data published by the US Department of Health & Human Services (HHS). 

E&T found that the number of individuals affected by these data breaches rose by more than five times between 2018 and 2019. 

Even before 2019 year-end, using data taken between 1 January and 10 December, HHS estimates that more than 40 million people have been affected in some way or another by these data breaches. 

Optum360, a business associate entity carrying out billing work for Quest Diagnostics, was the most devastating attack covered in the HHS dataset in the past two years, reportedly affecting 11.5 million people.

Previous studies have shown that the average total cost per data breach within healthcare is among the highest of any sector, reaching $6.45m. It is higher even than in finance, where breaches cost $5.86m on average. Healthcare was also found to bear the highest per-record data breach cost of $429, substantially higher than the cross-industry average of $150.

The cost burden per data breach is highest in the US, which also has the highest indirect cost per lost record, according to previous research. 

Cyber experts presented with the statistics told E&T that cyber-security practices within the industry are ‘lagging’.

“These ecosystem companies are themselves weak when it comes to cyber security, making the entire process challenging for those health systems seeking to provide a high level of care while properly securing patient data,” said Tim Mackey, principal security strategist at Synopsys CyRC.   

Sam Curry, chief security officer at Cybereason, a cyber-security technology company headquartered in Boston, said that attackers’ efforts are very organised: "We deal with an intelligent, motivated set of opponents. It’s not one person in a basement seeking a single thing. Instead, there is an ecosystem of actors, their suppliers, their partners and so on all seeking to advance their respective agendas with cyber as the tool of choice.” 

The numbers suggest that culprits may have become more effective and successful in terms of 'bang for the buck' they get per attack. While in 2018 the average health data breach amounted to 48,710 people being affected, in 2019 this figure surged to 98,703.

However, the number of cases and individuals suffering may appear to have increased so dramatically because the detection rate has improved. Experts told E&T that it takes a long time to identify breaches within the health sector, longer than in any other industry.  

IBM’s calculations suggest that detection and containment of data breaches took the longest time in the healthcare and public sector at 329 days; 236 to identify them and 93 to contain them (see chart).  

The profile of the type of breaches also evolved: hacking and IT-related incidents increased by 52 per cent while cases of unauthorised access or disclosure fell by 70 per cent.  

Like others who have services to sell, Mackey argued the sector must spend more and pay heed to the shortcomings in cyber security in healthcare. “With wait times increasing, it is reasonable to raise concerns over budget allocations, but a balance should always be struck between direct patient care and indirect patient care, which includes ensuring the patients' records are properly handled.”

Cyber-security spending levels have also been criticised in the UK. A survey of 226 NHS trusts last year revealed that 43 confirmed they had not allocated any funding for cyber security between August 2017 and August 2018.

E&T’s analysis of HHS’s data, which must be published by the Secretary of HHS Breach of Unsecured Protected Health Information according to the HITECH Act, comes with a caveat, Mackey pointed out.

The data provided by HHS may have to be taken with a pinch of salt. Mackey argued that due to the nature of healthcare cyber attacks in the US, it may be difficult to draw definite comparisons year over year or even between states.

Cybereason's Curry added that healthcare professionals may be unable to point to a single cause for the increase in attacks and cyber breaches in 2019. 

Increased cyber security in other sectors may have helped to push attackers towards the healthcare industry. Curry said: “In the case of cyber crime, the criminals simply move to the greatest return for the least risk and cost. Who is most likely to pay the ransom or to have data for blackmail? In healthcare! Where do you go if not the harder targets around banking or offices? Their health records.”

Curry added that healthcare globally is getting the "not-so-tender attention of all actors in the ecosystem” and this is unlikely to improve in 2020.