lolloj - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Healthcare breaches drop, but ransomware attacks rise

Patient data breaches dropped in 2017, mainly due to fewer large-scale breaches, but ransomware strikes intensified and insiders kept hacking.

This article can also be found in the Premium Editorial Download: Pulse: Hospitals bone up on medical device cybersecurity plans

More than 5.6 million Americans had their patient records stolen or exposed in healthcare breaches in 2017. Remarkably, that huge number is a marked decrease from the year before, mostly due to fewer large-scale healthcare breaches -- though there were still some of those, too -- according to new research from Protenus, a health IT privacy and security firm.

But in a notable development -- and deeply concerning to many in health IT -- ransomware and malware strikes on healthcare organizations intensified last year, doubling to 64 incidents reported to federal officials, compared with 2016.

The biggest healthcare breach reported in 2017 was at Med Center Health in Kentucky, where a former employee gained access to the billing information of nearly 700,000 patients in a series of hacking exploits, as reported by Med Center parent Commonwealth Health Corp. to the U.S. Department of Health and Human Services (HHS).

Indeed, the so-called insider threat -- when employees accidentally or maliciously gain inappropriate access to protected health information -- remained high, as it was a year earlier, and accounted for 37% of the overall number of healthcare breaches, according to the Protenus report, compiled with DataBreaches.net.

Insiders were behind 176 healthcare breaches in 2017, but only 70 were attributed to wrongdoing, while more than half were attributed to employee error. However, the malicious incursions resulted in the breach of 893,978 patient records, while the errors caused 785,281 records to be exposed. "Unfortunately, insider incidents continued to plague the healthcare industry in 2017," the report said.

Data breaches dropped in 2017, but ransomware soared

Another of the report's negative findings was that healthcare organizations were slower to discover they had suffered a breach. Of 144 healthcare breaches examined by Protenus, it took an average of 308 days for organizations to find out they had been breached, compared with 233 days in 2016.

Yet healthcare organizations seemed to have made improvements in reporting health data breaches to HHS. They took an average of 73 days to report a breach after it was discovered, while in 2016, the average was 344 days. But even with this significant improvement, healthcare providers and other breached organizations failed on average to report breaches within the 60-day window required by law to avoid potential civil monetary penalties.

This was last published in March 2018

Dig Deeper on Electronic health records security compliance

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What measures has your healthcare organization taken to prevent ransomware incidents and patient data breaches?
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close