Year in Review: Health privacy and security had a 'dismal year'
2015 has been a dismal year for security in healthcare, former White House security Czar Richard Clarke said at the Privacy and Security Forum, and a review of the headlines make it clear he was right.
Early in the year, hackers launched a “very sophisticated” external cyberattack on health insurer Anthem, impacting 80 million current and former members. This is the biggest healthcare data hack to date.
There were plenty of other breaches in healthcare this year and the government began to address the issue with several fines for HIPAA violations.
Most recently, the University of Washington Medicine (UWM) settled its HIPAA violations for $750,000 following a 2013 data breach that exposed the health information of 90,000 patients.
The Office for Civil Rights' investigation found that UWM did not ensure all of its affiliates were properly conducting risk assessments and appropriately responding to potential risks.
This settlement is one of several in recent months. Triple-S Management Corporation agreed to a $3.5 million settlement, Lahey Hospital and Medical Center in Massachusetts paid $850,000 in a HIPAA settlement , and Cancer Care Group, a radiation oncology practice in Indianapolis, paid $750,000.
Meanwhile, healthcare stakeholders have been working to establish a network to share cybersecurity threat information. But, a report from the Health Information Trust Alliance (HITRUST) found substantial gaps in the collection and usability of indicators of compromise (IOCs).
The report on the HITRUST Cyber Threat XChange (CTX) found that only 5 percent of organizations contributed IOCs while 85 percent consumed them. Additionally, of the IOCs contributed to the HITRUST CTX in the sampling period, only 50 percent were considered “actionable,” defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive.
Another privacy and security issue front and center in 2015 was the increase in the number of class action lawsuits filed by victims following a breach. In one case, a group of New York residents whose health data were compromised during a data hack sued the state's largest health insurance provider alleging negligence.
The suit against Excellus Health Plan and Lifetime Healthcare, came after hackers gained access to the defendants' data systems around December 2013 and operated undetected for the next 20 months.
The defendants allegedly discovered the hack Aug. 5 but the plaintiffs say it took until Sept. 9 for the insurers to disclose the breach to the public.
Multiple reports indicate a rising incidence of data breaches and new threats on the landscape. 2016 is sure to be another busy year for privacy and security professionals in healthcare.