As of May 28, the Beacon Health incident was not yet posted on the HHS’ Office for Civil Rights’ “wall of shame” of health data breaches affecting 500 or more individuals.
OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.
Other recent hacker attacks, which targeted health insurers, include:
- An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR’s tally.
- A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
- An “unauthorized intrusion” on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn’t discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.
- But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it’s not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.
Smaller hacker attacks have also been disclosed recently by other healthcare providers, including Partners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group (see Phishing Leads to Healthcare Breach).
- “Healthcare provider organizations are also big targets – [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit,” says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. “Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed.”
A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.
“Attacks that compromise an organization’s network and systems are harder to detect these days for a few reasons,” says Fricke, the consultant. “Criminals wait longer periods of time before taking action once they successfully penetrate an organization’s security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack.”
- When criminals access a system with an authorized account, it’s more difficult to detect the intrusion, Fricke notes. “Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today.”
As organizations step up their security efforts in the wake of other healthcare breaches, it’s likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old,” he says. “But the alternative – keeping your head in the sand – can lead to far worst results for patients and the organization.”
However, as more of these delayed-detection incidents are discovered, “regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier,” he warns.
- Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.
“Hindsight is 20-20, and it is always easy for regulators to question why more wasn’t done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects,” Greene says.