Nick Culbertson, CEO & Founder of Protenus kicks us off with this keynote session on day 2 of our CTEK Summit.
In this session, Nick will examine how data breaches affected the healthcare industry, according to the 2020 Breach Barometer, and what steps you can take to protect your institution now.
His session will include the current health data security threat landscape and the emerging trends from 2019, practical steps your team can use to protect patient privacy, and an understanding of healthcare compliance analytics and how it is used to monitor, detect and prevent health data breaches
4. CTEK SUMMIT
2020
Agenda
4
• Health data security threat landscape & emerging trends in
2019
• Practical steps your team can use now to protect patient
privacy
• How to leverage Healthcare Compliance Analytics
22. CTEK SUMMIT
2020
22
Building an Effective Privacy Monitoring Program
Effective privacy
monitoring is geared
towards educating
workforce and preventing
violations.
23. CTEK SUMMIT
2020
23
Centralize All Audit Log Data
Bring disparate audit log
data from across the
enterprise together under
a ‘single pane of glass.’
24. CTEK SUMMIT
2020
24
Increase Efficiency and Resolve Cases Faster
Leverage the data at your
fingertips to speed up
investigations and close
more cases in less time.
25. CTEK SUMMIT
2020
25
Protect VIPs Patients
Automatically review
publicly available news
and social media to
predict threats and catch
them as they happen.
Nick’s bio: Nick Culbertson is the Co-Founder and CEO of Protenus. In 2014, Nick and his co-founder Robert Lord developed the initial prototype and algorithms that launched Protenus, fulfilling a critical need to advance health data security and better protect patient data.
In this session, we will examine how data breaches affected the healthcare industry, according to the 2020 Breach Barometer, and what steps you can take to protect
your institution now. Our agenda will include the current health data security threat landscape and the emerging trends from 2019, practical steps your team can use to protect patient privacy and an understanding of healthcare compliance analytics and how it is used to monitor, detect, and prevent health data breaches.
One shocking statistic from the 2020 Breach Barometer is that 41 million patient records were affected in 2019 as hacking incidents continue to escalate.
You might be wondering what Tom Hanks, Idris Elba and Boris Johnson have in common. All of these gentleman had COVID-19 and their medical information was made public. It’s not a matter of if but when you will be hit with a breach whether it is a famous VIP or a normal patient.
Our analysis is based on 572 health data breaches reported to the U.S. Department of Health and Human Services (HHS), the media, or some other source during 2019. As in years past, we do not have numbers for every incident in 2019, but for those 481 incidents for which we have data, 41,404,022 patients were impacted.
Comparing those numbers with those of years prior, you can see the staggering increase in the number of affected patient records. In 2019, the number almost tripled compared to the 2018 data.
Despite innovations in healthcare compliance analytics, the healthcare industry has continued to experience an increase in the number of reported health data breaches, year over year, since Protenus started
compiling statistics in 2016. This is an alarming trend which should change as more organizations deploy advanced patient privacy monitoring systems that can prevent future incidents.
Forty-eight states (96%) are represented in the 570 incidents for which we had location data. Texas had the most reported incidents with 59, followed by California with 49. Please note that numbers for some states are inflated because the analysis uses the state where the BA/vendor is located, not where the client is located.
The single largest breach reported in 2019 was the result of the hacking of a Business Associate. It involved one of the country’s largest
patient collections recovery agencies that had its patient information accessed by an unauthorized party. The breach was discovered when
analysts found personal identifiable information (PII), including date of birth (DOB), Social Security Numbers, and physical addresses for sale on
the dark web. Hackers appeared to gain access to patient information through the online patient portal over the course of several months,
beginning in September 2018 and continuing until March 2019. This hacking incident affected 20,949,600 patient records, with 11,900,000
affected records from just one client.
This graph shows the types of incidents. In 2019 there were incidents of hackers attempting to extort money from the breached patients, not just the affected healthcare organizations. In one incident in Florida, the hackers gained access to patient information and made the typical ransom demand of the breached organization. In a new malicious move, the hackers also sent ransom demands to a number of the affected patients, “threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met.” The FBI is currently
investigating this incident.
The healthcare industry experienced yet another alarming increase in hacking incidents in 2019.The increase is consistent with a worrisome year over year trend since 2016.
Hacking incidents were relatively constant throughout the year, with a total of 330 incidents in 2019, comprising 58% of all 2019 breaches.
It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike. In contrast to previous hacking incidents, current ransomware threat actors have taken to naming victims who do not pay the ransom demands, and then publicly dumping the data if they refuse to pay.
Overall, the number of insider-related incidents has decrease year over year since 2016. This is largely due to the adoption of healthcare compliance analytics in health systems across the country and improved employee education on how to prevent privacy violations.
Even with the decrease in the number of insider incidents, they still pose a significant threat with one insider-related incident going undetected for
over seven years. In this particular incident, sensitive patient information was viewable to external audiences outside their system network.
Potentially exposed information included patient name, medical record number, insurance information, appointment times, and procedure
information.
At this time, it does not appear this data has been used maliciously and the organization has corrected the system configuration.
Several other insider-related incidents went undiscovered for three or more years, putting significant amounts of patient data at risk.
While there were substantially fewer patient records breached by insider-wrongdoing, they are often more dangerous since employees
with legitimate access to patient information can abuse their access with malicious intent, often undetected. In one recent case from 2019, a nurse is
suspected of gaining access to patient information and providing the data to a third-party for fraudulent purposes. The Maryland-based healthcare
organization discovered the breach when law enforcement reached out after the employee’s associate was arrested for an unrelated matter. It is
estimated that 16,542 patients could have been affected over the course of almost two years (644 days) before discovery. Based on information
provided by state and local law enforcement, the organization fired this employee and reported the incident to the Board of Nursing. The
investigation is still ongoing. In addition to the loss of patient trust, this entity may now face substantial post-breach costs that have been estimated to be close to $10M per breach.
Several insider incidents took more than 4 years to discover. Overall, the number of insider-related incidents has decrease year over year since 2016. This is largely due to the adoption of healthcare compliance analytics in health systems across the country and improved employee education on how to prevent privacy violations.
While hacking incidents may be discovered more quickly than insider incidents, they also tend to have longer gaps between the discovery of the breach and reporting it. This may be due to ransomware attacks making it more difficult to determine what may have been accessed or exfiltrated, making it harder to identify who to notify.
Given the last several slides, you can see why privacy monitoring is so important. Especially, in the current COVID-19 environment.
While the breach barometer reports on publicly disclosed incidents, it’s just the tip of the iceberg, most data breaches go unnoticed because of the legacy systems and the manual audits that still occur across the country. With the sheer volume of the medical events that happen across the EHR you are asking the compliance team to do the impossible - manually detect these breaches before they happen.
Let’s talk about some steps your organization can take to protect patient privacy. An effective privacy monitoring program is always geared toward educating workforce and preventing violations.
It is best to centralize all audit log data and bring your disparate systems across the enterprise together under a ‘single pane of glass’
You can reduce time spent on investigations if you leverage the data at your fingertips, allowing your team to resolve more cases in less time.
Also, you need to think outside the box and get ahead of publicly available news and social media to predict threats and catch them before a breach happens.
There has been an increase in adoption in HCA that allows you to use AI to see everything in a single pane of glass. All of your EHR data or peripheral applications will be at your fingertips allowing you to do more with less. The AI will be able to distinguished abnormal vs normal events in the EHR automatically.
Let’s review what we discussed today, you learned how data breaches affect the healthcare industry with more than 41 million patient records affected, we discussed the practical steps your team can use to protect patient privacy by creating an effective privacy monitoring program and how to use AI to leverage Healthcare Compliance Analytics within your EHR.
We have a lot more data available in our Breach Barometer. Please visit the url on the screen to secure a copy.
Does anyone have any questions? Please utilize the Q&A and chat features on the right-hand side of your screen to submit a question.