Year in Review: Health privacy and security had a 'dismal year'

2015 has been a dismal year for security in healthcare, former White House security Czar Richard Clarke said at the Privacy and Security Forum, and a review of the headlines make it clear he was right.

Early in the year, hackers launched a “very sophisticated” external cyberattack on health insurer Anthem, impacting 80 million current and former members. This is the biggest healthcare data hack to date.

There were plenty of other breaches in healthcare this year and the government began to address the issue with several fines for HIPAA violations.

Most recently, the University of Washington Medicine (UWM) settled its HIPAA violations for $750,000 following a 2013 data breach that exposed the health information of 90,000 patients.

The Office for Civil Rights' investigation found that UWM did not ensure all of its affiliates were properly conducting risk assessments and appropriately responding to potential risks.

This settlement is one of several in recent months.  Triple-S Management Corporation  agreed to a $3.5 million settlement, Lahey Hospital and Medical Center in Massachusetts paid $850,000 in a HIPAA settlement , and Cancer Care Group, a radiation oncology practice in Indianapolis, paid $750,000.

Meanwhile, healthcare stakeholders have been working to establish a network to share cybersecurity threat information. But, a report from the Health Information Trust Alliance (HITRUST) found substantial gaps in the collection and usability of indicators of compromise (IOCs).

The report on the HITRUST Cyber Threat XChange (CTX) found that only 5 percent of organizations contributed IOCs while 85 percent consumed them. Additionally, of the IOCs contributed to the HITRUST CTX in the sampling period, only 50 percent were considered “actionable,” defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive.  

Another privacy and security issue front and center in 2015 was the increase in the number of class action lawsuits filed by victims following a breach. In one case, a group of New York residents whose health data were compromised during a data hack sued the state's largest health insurance provider alleging negligence.

The suit against Excellus Health Plan and Lifetime Healthcare, came after hackers gained access to the defendants' data systems around December 2013 and operated undetected for the next 20 months.

The defendants allegedly discovered the hack Aug. 5 but the plaintiffs say it took until Sept. 9 for the insurers to disclose the breach to the public.

Multiple reports indicate a rising incidence of data breaches and new threats on the landscape. 2016 is sure to be another busy year for privacy and security professionals in healthcare.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”