Recommended
Recommended
More Related Content
Similar to Privacy Threats in Healthcare - It Could Happen to You
Similar to Privacy Threats in Healthcare - It Could Happen to You (20)
More from SophiaPalmira
More from SophiaPalmira (6)
Recently uploaded
Recently uploaded (20)
Privacy Threats in Healthcare - It Could Happen to You
- 2. CTEK SUMMIT 2020 2 Privacy Threats in Healthcare It Could Happen to You
- 3. CTEK SUMMIT 2020 3 Nick Culbertson CEO & Co-Founder
- 4. CTEK SUMMIT 2020 Agenda 4 • Health data security threat landscape & emerging trends in 2019 • Practical steps your team can use now to protect patient privacy • How to leverage Healthcare Compliance Analytics
- 5. CTEK SUMMIT 2020 5 41 million patient records affected in 2019
- 8. CTEK SUMMIT 2020 8 Number of Health Records Breached
- 9. CTEK SUMMIT 2020 9 Total Disclosed Incidents
- 11. CTEK SUMMIT 2020 11 Single Largest Breach: Affected 20,949,600 patient records, with 11,900,000 affected records from just one client.
- 12. CTEK SUMMIT 2020 12 2019 Type of Incidents
- 13. CTEK SUMMIT 2020 13 Total Hacking Incidents
- 14. CTEK SUMMIT 2020 14 2019 Total Hacking Incidents
- 15. CTEK SUMMIT 2020 1 5 Insider incidents continue to decrease, showing promise with adoption of healthcare compliance analytics.
- 16. CTEK SUMMIT 2020 16 Total Insider-Related Incidents
- 17. CTEK SUMMIT 2020 17 Patient Records Breached by Insiders
- 19. CTEK SUMMIT 2020 19 Average Number of Days to Discovery
- 20. CTEK SUMMIT 2020 20 Why is privacy monitoring so important?
- 21. CTEK SUMMIT 2020 21 Most breaches go unnoticed
- 22. CTEK SUMMIT 2020 22 Building an Effective Privacy Monitoring Program Effective privacy monitoring is geared towards educating workforce and preventing violations.
- 23. CTEK SUMMIT 2020 23 Centralize All Audit Log Data Bring disparate audit log data from across the enterprise together under a ‘single pane of glass.’
- 24. CTEK SUMMIT 2020 24 Increase Efficiency and Resolve Cases Faster Leverage the data at your fingertips to speed up investigations and close more cases in less time.
- 25. CTEK SUMMIT 2020 25 Protect VIPs Patients Automatically review publicly available news and social media to predict threats and catch them as they happen.
- 26. CTEK SUMMIT 2020 26 Healthcare Compliance Analytics let’s you see the entire picture.
- 27. CTEK SUMMIT 2020 Agenda 27 • Health data security threat landscape • Practical steps to protect patient privacy • How to leverage Healthcare Compliance Analytics Key Takeaways
- 30. CTEK SUMMIT 2020 THANK YOU • Nick@Protenus.com • www.Protenus.com 30
Editor's Notes
- Nick’s bio: Nick Culbertson is the Co-Founder and CEO of Protenus. In 2014, Nick and his co-founder Robert Lord developed the initial prototype and algorithms that launched Protenus, fulfilling a critical need to advance health data security and better protect patient data.
- In this session, we will examine how data breaches affected the healthcare industry, according to the 2020 Breach Barometer, and what steps you can take to protect your institution now. Our agenda will include the current health data security threat landscape and the emerging trends from 2019, practical steps your team can use to protect patient privacy and an understanding of healthcare compliance analytics and how it is used to monitor, detect, and prevent health data breaches.
- One shocking statistic from the 2020 Breach Barometer is that 41 million patient records were affected in 2019 as hacking incidents continue to escalate.
- You might be wondering what Tom Hanks, Idris Elba and Boris Johnson have in common. All of these gentleman had COVID-19 and their medical information was made public. It’s not a matter of if but when you will be hit with a breach whether it is a famous VIP or a normal patient.
- Our analysis is based on 572 health data breaches reported to the U.S. Department of Health and Human Services (HHS), the media, or some other source during 2019. As in years past, we do not have numbers for every incident in 2019, but for those 481 incidents for which we have data, 41,404,022 patients were impacted.
- Comparing those numbers with those of years prior, you can see the staggering increase in the number of affected patient records. In 2019, the number almost tripled compared to the 2018 data.
- Despite innovations in healthcare compliance analytics, the healthcare industry has continued to experience an increase in the number of reported health data breaches, year over year, since Protenus started compiling statistics in 2016. This is an alarming trend which should change as more organizations deploy advanced patient privacy monitoring systems that can prevent future incidents.
- Forty-eight states (96%) are represented in the 570 incidents for which we had location data. Texas had the most reported incidents with 59, followed by California with 49. Please note that numbers for some states are inflated because the analysis uses the state where the BA/vendor is located, not where the client is located.
- The single largest breach reported in 2019 was the result of the hacking of a Business Associate. It involved one of the country’s largest patient collections recovery agencies that had its patient information accessed by an unauthorized party. The breach was discovered when analysts found personal identifiable information (PII), including date of birth (DOB), Social Security Numbers, and physical addresses for sale on the dark web. Hackers appeared to gain access to patient information through the online patient portal over the course of several months, beginning in September 2018 and continuing until March 2019. This hacking incident affected 20,949,600 patient records, with 11,900,000 affected records from just one client.
- This graph shows the types of incidents. In 2019 there were incidents of hackers attempting to extort money from the breached patients, not just the affected healthcare organizations. In one incident in Florida, the hackers gained access to patient information and made the typical ransom demand of the breached organization. In a new malicious move, the hackers also sent ransom demands to a number of the affected patients, “threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met.” The FBI is currently investigating this incident.
- The healthcare industry experienced yet another alarming increase in hacking incidents in 2019.The increase is consistent with a worrisome year over year trend since 2016.
- Hacking incidents were relatively constant throughout the year, with a total of 330 incidents in 2019, comprising 58% of all 2019 breaches. It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike. In contrast to previous hacking incidents, current ransomware threat actors have taken to naming victims who do not pay the ransom demands, and then publicly dumping the data if they refuse to pay.
- Overall, the number of insider-related incidents has decrease year over year since 2016. This is largely due to the adoption of healthcare compliance analytics in health systems across the country and improved employee education on how to prevent privacy violations.
- Even with the decrease in the number of insider incidents, they still pose a significant threat with one insider-related incident going undetected for over seven years. In this particular incident, sensitive patient information was viewable to external audiences outside their system network. Potentially exposed information included patient name, medical record number, insurance information, appointment times, and procedure information. At this time, it does not appear this data has been used maliciously and the organization has corrected the system configuration. Several other insider-related incidents went undiscovered for three or more years, putting significant amounts of patient data at risk.
- While there were substantially fewer patient records breached by insider-wrongdoing, they are often more dangerous since employees with legitimate access to patient information can abuse their access with malicious intent, often undetected. In one recent case from 2019, a nurse is suspected of gaining access to patient information and providing the data to a third-party for fraudulent purposes. The Maryland-based healthcare organization discovered the breach when law enforcement reached out after the employee’s associate was arrested for an unrelated matter. It is estimated that 16,542 patients could have been affected over the course of almost two years (644 days) before discovery. Based on information provided by state and local law enforcement, the organization fired this employee and reported the incident to the Board of Nursing. The investigation is still ongoing. In addition to the loss of patient trust, this entity may now face substantial post-breach costs that have been estimated to be close to $10M per breach.
- Several insider incidents took more than 4 years to discover. Overall, the number of insider-related incidents has decrease year over year since 2016. This is largely due to the adoption of healthcare compliance analytics in health systems across the country and improved employee education on how to prevent privacy violations.
- While hacking incidents may be discovered more quickly than insider incidents, they also tend to have longer gaps between the discovery of the breach and reporting it. This may be due to ransomware attacks making it more difficult to determine what may have been accessed or exfiltrated, making it harder to identify who to notify.
- Given the last several slides, you can see why privacy monitoring is so important. Especially, in the current COVID-19 environment.
- While the breach barometer reports on publicly disclosed incidents, it’s just the tip of the iceberg, most data breaches go unnoticed because of the legacy systems and the manual audits that still occur across the country. With the sheer volume of the medical events that happen across the EHR you are asking the compliance team to do the impossible - manually detect these breaches before they happen.
- Let’s talk about some steps your organization can take to protect patient privacy. An effective privacy monitoring program is always geared toward educating workforce and preventing violations.
- It is best to centralize all audit log data and bring your disparate systems across the enterprise together under a ‘single pane of glass’
- You can reduce time spent on investigations if you leverage the data at your fingertips, allowing your team to resolve more cases in less time.
- Also, you need to think outside the box and get ahead of publicly available news and social media to predict threats and catch them before a breach happens.
- There has been an increase in adoption in HCA that allows you to use AI to see everything in a single pane of glass. All of your EHR data or peripheral applications will be at your fingertips allowing you to do more with less. The AI will be able to distinguished abnormal vs normal events in the EHR automatically.
- Let’s review what we discussed today, you learned how data breaches affect the healthcare industry with more than 41 million patient records affected, we discussed the practical steps your team can use to protect patient privacy by creating an effective privacy monitoring program and how to use AI to leverage Healthcare Compliance Analytics within your EHR.
- We have a lot more data available in our Breach Barometer. Please visit the url on the screen to secure a copy.
- Does anyone have any questions? Please utilize the Q&A and chat features on the right-hand side of your screen to submit a question.