2017 was a big year for healthcare IT security. Massive ransomware attacks, hacked medical devices, and a record-breaking HIPAA settlement are just the highlights.
Dig into the top stories for 2017 below.
#1. Ransomware Attacks Hit Healthcare
The ongoing threat of ransomware, and a spike of attacks in the spring, is the biggest security story in healthcare IT this year.
The WannaCry ransomware attack shocked healthcare professionals across the world. In May, it seized an estimated 300,000 computer systems in a matter of days.
Among the infected systems were those of National Health Service (NHS), the primary healthcare provider of the U.K.
Impacts across the U.K. included closed emergency rooms, rescheduled surgeries, and more than 6,900 canceled appointments, according to a report by the National Audit Office.
Pharmaceutical giant Merk reportedly lost $135 million in 2017 from attacks by Petya, a malware strain that posed as ransomware but instead acted as a data wiper.
In July, U.S. Office for Civil Rights (OCR), the federal department tasked with enforcing HIPAA, published guidance on ransomware infections and their impact on HIPAA compliance.
#2. Medical Device Security is Broken
Network-enabled medical devices have notoriously poor security – just as IoT security is poor generally. Experts have known this for years, but 2017 made big headlines on the topic.
For example, the U.S. FDA alerted the public in August to 465,000 implanted pacemakers vulnerable to wireless hacks that can cause “patient harm from rapid battery depletion or administration of inappropriate pacing.”
The following month, the FDA issued recommendations for medical device manufacturers to improve security. You can read the full text here: Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices – Sept. 6, 2017
The U.S. Congress may eventually attempt to improve healthcare IT security for medical devices. Several related bills have been introduced, but none have advanced:
- Medical Device Cybersecurity Act of 2017 – July 27, 2017
#3. HIPAA Settlement Breaks Record
The Office for Civil Rights (OCR), the federal office tasked with HIPAA enforcement, got a new director in March – and he means business.
OCR Director Roger Severino reportedly said his top HIPAA enforcement priority for 2018 is to find a big, juicy, egregious data breach.
More highlights on healthcare cybersecurity enforcement:
Anthem Pays Record $115 Million
Healthcare now holds the record for the largest court settlement ever paid in response to a data breach. Health insurance giant Anthem agreed to pay $115 million for its 2015 breach, which exposed records on more than 78 million patients.By comparison, Target paid $18.5 million for its now-infamous data breach affecting 110 million people, and Home Depot paid $27.25 million for its breach affecting 56 million.
HIPAA ‘Wall of Shame’ Updated
A redesigned HIPAA breach portal was announced by OCR in July. Also known as the HIPAA “wall of shame”, the site lists reported HIPAA breaches involving more than 500 patient records. The site maintained this core purpose, despite complaints it was too harsh.
OCR: Ransomware Factsheet
After a rash of ransomware attacks in the spring, OCR published guidance on ransomware infections and their impact on HIPAA compliance. This became the go-to guide on whether a ransomware infection constitutes a HIPAA breach.
OCR: Cyber Attack Response Checklist
In June, OCR published a checklist with steps for organizations covered by HIPAA and their business associates to take after a cyber-related security incident is discovered.
OCR: Emergency Response
In October, OCR published guidance on how parts of the HIPAA Privacy Rule can be waived during an emergency.Waived provisions typically do not affect healthcare cybersecurity requirements (cybersecurity is mostly covered in the Security Rule, not the Privacy Rule).
OCR also published guidance in October on how doctors can respond to the opioid crisis within the context of HIPAA compliance.
#4. Top Healthcare IT Data Breaches
The number of data breaches reported to the OCR in 2017 is roughly on pace with recent years.
As of Nov. 17, the HIPAA breach portal shows 302 breaches for 2017. That’s 25 fewer than the total for 2016 and 33 more than 2015.
However, the size of the breaches is dramatically lower this year. So far, about 4.5 million individuals are reported to have been affected. Last year, the number was 12.5 million.
Some of the largest healthcare cybersecurity breaches this year:
Med Center Health – 697,800 People Affected
This Kentucky-based medical conglomerate, which includes several hospitals, reported in January a data breach involving an employee who twice stole patient billing info.
Although fewer than 200,000 patients were notified, the OCR’s HIPAA breach portal lists the total number of people affected at nearly 700,000.
Airway Oxygen – 550,000 People Affected
A ransomware attack in April made this Michigan-based home medical equipment supplier one of the top HIPAA breaches of 2017. The HIPAA breach portal lists the “location of breached information” as a network server.
Women’s Health Care Group of Pennsylvania – 300,000 People Affected
In yet another ransomware attack, employees at this health system discovered an infected workstation and server. Further investigation revealed the breach began as far back as January and affected hundreds of thousands of patients.
#5. Top Threats in Healthcare IT Security
Ransomware makes headlines, but it’s only part of the threat landscape in healthcare IT.
Insider threats – often mistakes and oversights – continue to drive a huge number of HIPAA breaches.
The chart below summarizes the HIPAA breaches shown in the OCR’s portal from Jan. 1, 2017 through Nov. 20, 2017 (includes breaches archived and those currently under investigation).
Note: only breaches affecting 500 or more individuals are reported in the OCR’s portal.
Unauthorized access and disclosure is the number-one cause of reported HIPAA breaches so far in 2017. Examples include:
- Misconfigurations that expose patient data to the public
- Mass emailing patient data to the wrong people
- Mass snail-mailing with patient data viewable through a plastic window on the envelope
Hacking and IT incidents account for about one-third of reported HIPAA breaches so far. Examples include:
- Malware and ransomware infections on servers and workstations with access to patient data
- Hacked network server containing patient data
- Phishing attack compromises credentials for an email account that contains messages with patient data
Looking Forward to 2018
Five weeks remain before the end of year. While anything can happen, it’s safe to assume the above stories will be the biggest healthcare IT security topics for 2017.
Did we miss any? Let us know in the comments!