The healthcare system faced an inceasingly common occurance in 2016, with a report by Protenus Breach Barometer claiming there was, on average, one data breach a day.
In "Breach Barometer Report: Year in Review," Protenus outlines the struggle in fighting data breaches. The review contains 450 incidents, which affected more than 27 million patient records.
“We’d love to tell you that by the end of the year things were starting to improve, but unfortunately that wasn’t the case,” the report stated. “Patient data can still be easily obtained and used maliciously, by insiders and external actors alike. Even as healthcare leaders became increasingly aware of the importance of health data protection, the number of breach incidents remained relatively steady each month of the year, highlighting the continued threat to patient data.”
The findings of the report include:
Insiders responsible for 192 health data breach incidents: 43 percent of the 2016 health data breaches were the result of insider-error or wrongdoing. These incidents affected two million patient records.
Hacking and ransomware responsible for 26.8 percent of data breaches: Hacking and ransomware accounted for 120 health data breaches, affecting over 23 million patient records or 87 percent of all patient records included in the analysis. Thirty of these incidents involved ransomware and 10 others involved ransomware or extortion demands but not ransomware.
356 incidents reported involved healthcare: Of the 450 reported incidents, 356 (80 percent) involved healthcare with 45 involving health plans.
Health data breaches take 233 days to discover, and 344 Days to Report: Reviewing 142 incidents with data took an average of 233 days for healthcare systems to identify they had a breach. A total of 607 days passed before healthcare systems were able to specifically identify what caused the breach.
State frequency: 47 states were affected by health data breach incidents. California lead the pack with 73 incidents.
“Health data protection needs to be a top priority for healthcare organizations—keeping their institution out of the headlines, limiting financial impact, and increasing their patients’ trust and satisfaction,” concluded the review. “While it can take only minutes to gain access to a patient’s medical records, it can take months to detect a breach, and years to recover. Critically, healthcare must move beyond thinking about privacy, security or compliance alone—these are merely three pillars of our true goal: ensuring trust. As an industry, we must think about the fundamental shifts we can effect to build and maintain this trust.”