Data breaches are disproportionately common in the health sector. What's more, it is the only sector that has a higher rate of data breaches caused by internal factors such as employee carelessness or misbehaviour than by external threats. Health sector data breaches are enabled, it seems, by the increasing uptake of technology in the provision of healthcare services, by weak or absent internal controls and by a lack of cybersecurity awareness within organisations. However, the higher rate of reported data breaches in the health sector is also likely to be the result of more stringent legal reporting requirements as compared to other sectors. Regardless of the root cause, health sector breaches have significant business, financial, social and reputational impacts due to the high stakes, the inability to 'reset' health information and the loss of trust from patients and the broader public. This article explores why data breaches are so prevalent in this sector, the costs and the steps that health sector organisations should take to safeguard their data and critical infrastructure.
- Why focus on healthcare? The health sector accounts for a disproportionate number of data breaches, and their severity – both in average financial cost per record accessed or lost and the social impact which flows from compromised health information – often exceeds that of breaches in other sectors. Both the Office of the Australian Information Commissioner's (OAIC) in its report on Australian data breaches for the first quarter of 2018, and Verizon in its 2017 Data Breach Investigations Report, found that almost a quarter of all data breaches occurred in the health sector. The health sector also reported the largest number of data breaches in the OAIC's report on the second quarter, constituting 20% of the data breaches between April and June 2018.1 What's more, health information or medical data was affected in 24%-33% of data breaches across all sectors.2
- Why are data breaches so prevalent in the healthcare sector? The uptake of technology in the health sector (including wearable medical devices, telehealth services and electronic health records) has resulted in an increasing amount of health information being stored and transmitted electronically. Cybersecurity awareness in that sector has not kept pace. This overrepresentation can be attributed to both poor security practices across the health sector3 and the stricter legal requirements for reporting breaches that apply to the sector.
- What are the costs? Apart from the legal risks involved in these data breaches, there are significant financial and reputational ramifications for affected businesses. These include impacts on the level of trust in the underlying patient relationship, the continuing health of patients, the organisation's reputation and regulatory fines or litigation costs. In particular, and in addition to the regulatory fines imposed by the US Department of Health and Human Services' (HHS) Office for Civil Rights, there have been a large number of class actions brought in the US in relation to health sector data breaches,4 including a claim against Anthem, which was settled in 2017 for US$115 million.
- What should healthcare providers do? Organisations should ensure that they:
- understand and implement a 'privacy by design' approach to business operations, including in relation to the design and implementation of new projects;
- understand the data flows involved in their practice and the regulatory framework in which they operate;
- identify and address any vulnerabilities created by outdated systems and perform appropriate due diligence on third-party vendors;
- educate staff on cybersecurity risks and data/privacy best practice (including limiting access to sensitive information to staff who require it);
- establish dedicated cybersecurity-risk quantification, assessment and ongoing management processes, and establish cybersecurity continuous monitoring capability;
- ensure that where they disclose any information publicly, such information has been appropriately de-identified and aggregated and is not capable of re-identification (including where it is combined with other public datasets);
- regularly audit data storage processes and compliance with data storage policies and procedures; and
- identify a data breach response team and have a comprehensive data breach response plan, in order to quickly and efficiently respond to potential data breaches and minimise harm to individuals (and therefore the financial and reputational costs of the breach).5
Increased quantity of connected health information
The upward trend of data breaches in the health sector has been enabled by the movement of health information and existing health practices into the digital world – a transition that is taking many forms, including:
- an increasing number of medical devices and patient wearables, such as pacemakers and insulin pumps, forming part of the Internet of Things, and directly collecting and storing patient data (for more on the increase in use, and potential vulnerabilities, of medical devices, see our article Unexpected risks of the IoT revolution: cybersecurity in medical devices);
- the increasing use of telehealth and telemedicine, which utilise telecommunication technologies to remotely provide healthcare services and health education, in order to address access to health both in rural communities and by an ageing population with limited mobility; and
- the adoption of electronic health records, both internally within specific practices and hospitals, and on a national level through the introduction of the My Health Records (MHR) system.
Each of these technologies creates opportunities for more responsive treatment and greater control over a patient's health and health information. However, the improved connectivity (especially where communications are not secured against interception), the increasing centralisation and consolidation of sensitive information and the extending of access to that information to a broad range of entities, create the possibility for unintended or malicious data breaches unless appropriate security measures are put in place.
Health information as a critical and non-perishable asset
The increasing quantity of health information which can be accessed as a result of a single data breach is likely to have led to a rise in the number of data breaches in the sector, but the specific characteristics of health information have also made a contribution.
- Access to health information is critical: Attacks like those using ransomware are more likely to be successful in the health sector because they disrupt the organisation's operations, affecting both patients and staff (including in some cases, critical surgery or care). For this reason, health organisations require access to their systems to be re-activated almost immediately and are more likely to meet the hacker's demands.6
- Health information is difficult to change: Unlike credit card or payment information, health information such as illnesses and surgeries is not 'perishable' and is often difficult for individuals to replace. This means it retains value for a longer period after a breach. While the relative value of health information compared to credit card data is disputed, it is clear that health information is valuable (with Medicare details selling for A$29 per record in 2017)7 and can be used for identity fraud8 or other fraudulent activities taking advantage of an individual's medical conditions or settlements, to create fake insurance claims, to purchase medical equipment or to access certain prescriptions.9
Lack of cybersecurity awareness
Perhaps surprisingly for a sector built on trust and access to individuals' most sensitive data, a large proportion of breaches in the health sector do not arise from external malicious actors but instead from internal forces. Verizon's 2018 data breach investigations report found that 'healthcare is the only industry where the threat from inside is greater than that from outside', with 56% of the breaches surveyed relating to either employee errors or abuse of their access to systems and patient data, and breaches being seven times more likely to be caused by errors than in other sectors.10 The OAIC's second quarterly report found similar results, with 59% of data breaches in the healthcare sector resulting from human error as opposed to malicious cyberattacks.11 This appears to be for a number of reasons:
- social nature of the health sector: As relatives, carers and other physicians regularly request information about patients, the sector is more susceptible to social breaches such as phishing or pretexting, where hackers pretend to be related to the target.12
- unsophisticated participants: A number of health sector organisations are small and have unsophisticated data-handling practices, and therefore may not have a detailed understanding of current security risks and vulnerabilities when adopting new technologies, or how they can address exploited vulnerabilities to prevent future breaches (there is evidence that healthcare organisations continue to have poor social engineering scores even after they suffer a breach).13
- no clear sector-specific security requirements: While the Royal Australian College of General Practitioners has published the Computer and Information Security Standards to provide guidance and support to GPs when dealing with data security (and in particular in connection with the MHR system), these Standards have not been updated since 2013, and the College's accreditation process only appears to require compliance with information security indicators and not strict compliance with the Standards.14 Similarly, while ADHA issued an Information Security Guide for small healthcare businesses in October last year, it is not clear to what extent the guide (or the security practices it recommends) has been adopted within the sector.
- disconnect between perception of risk at an organisation and industry level: Many health organisations appear to think that they will not be a target of cyberattacks. As an example, a survey of 122 healthcare professionals in March showed that 79% were concerned about the cybersecurity of their own healthcare information, while 68% believed their organisations were doing enough to protect patient privacy and personal information from cyber attackers.15
While the factors discussed above may explain why that there are a significant number of data breaches in the health sector, it is likely that the comparably high representation of reported data breaches in the sector is also a result of the stricter standards for reporting imposed by relevant legislation. By way of example:
- In Australia:
- under Part IIIC (Notification of eligible data breaches) of the Privacy Act 1988 (Cth), a breach affecting a healthcare organisation, especially where it involves access to health information, on average will be more likely to result in 'serious harm' (including physical, psychological or emotional harm) to the affected individuals than breaches affecting other sorts of data;16 and
- the My Health Records Act 2012 (Cth) imposes a specific data breach regime for participants in the MHR system, to broadly cover situations where:
- there may have been unauthorised collection, use or disclosure of health information included in an individual's MHR; or
- an event may have occurred or circumstances may have arisen which compromise (or could compromise) the security or integrity of the MHR system.
- In the US:
- the Health Insurance Portability and Accountability Act 1996 (US) (HIPAA) imposes an obligation on entities to report breaches where there is the acquisition, access, use or disclosure of personal health information which affects more than 500 personal records;17 and
- guidance issued by the US HHS provides that most ransomware attacks, including any breach where health information is encrypted by the ransomware, will constitute a data breach under HIPAA and therefore must be reported.18
- Cost to organisation: The Ponemon 2018 Cost of a Data Breach Study found that the average cost per stolen record for healthcare organisations was US$408, compared to US$148 for non-health organisations.18 This is likely to be related to the stricter regulations in the health sector and the greater likelihood the organisation will pay to regain access to their records or system.
- Litigation: There have been a number of high profile class actions relating to data breaches in the healthcare sector, including Anthem, Inc a health insurer who reached a record-setting settlement of US$115 million in June last year in relation to a data breach that affected nearly 80 million people.20 In addition, recent data breach class actions brought in Canada21 and England22 suggest that this trend is likely to extend to Australian entities that suffer a data breach.
- Cost to affected individuals: As health information is not perishable, affected individuals often incur costs (even if not straight away). A 2017 Accenture survey found 26% of US consumers have been affected by a healthcare data breach, with 50% of those individuals suffering medical identity theft, and an average out-of-pocket cost of US$2,500.23
Beyond financial costs, data breaches in the health sector have a particular social impact because they erode the public's trust in the integrity and reliability of the health system and, where individuals are unsure their sensitive information will be properly secured, reduces the public's willingness for such information to be collected, used and stored. In addition, and as shown by the recent HealthEngine saga, this loss of trust can occur even where an entity's actions do not strictly constitute a data breach, but do fall short of community expectations around how their sensitive information will be used. Importantly, data breaches often shine a light on the ways in which organisations handle personal information and other regulatory breaches that might not otherwise have been made public.
- Data breach: The HTML code for HealthEngine's Practice Recognition System (which relayed patient feedback to GPs) attached metadata which included the reviewer's original appointment dates and times. In respect of 75 such reviews, it also contained the reviewer's identifying information and therefore was an unauthorised disclosure of their personal information (and a data breach under the Privacy Act).24
- Other personal information practices: However, the strong public backlash to HealthEngine's practices did not relate to a data breach as such, but rather to HealthEngine's provision of patients' personal information to law firms 'seeking clients for personal injury claims'.25 While HealthEngine had sought 'consent' from individuals to share their personal information with third parties, this consent was bundled within their collection statement and it is clear from the public's response that this practice fell short of community expectations and violated the trust granted by patients to recipients of sensitive health information.
- Responses from regulators and industry: HealthEngine has since been 'condemned in a joint statement by Future Wise, the Australian Privacy Foundation and Electronic Frontiers Australia.'26 In addition, the Federal Health Minister directed both the OAIC and ADHA to commence investigations into HealthEngine. These reactions followed not from a data breach as such, but from HealthEngine's other practices, demonstrating the need for health organisations to ensure that they comply with both their legal data security requirements and their social licence to operate.
Office of the Australian Information Commissioner, Quarterly Statistics Report: April 2018 – June 2018 (31 July 2018) p13.
Office of the Australian Information Commissioner, Quarterly Statistics Report: January 2018 – March 2018 (11 April 2018); Verizon, 2018 Data Breach Investigations Report, pp 5, 9; Office of the Australian Information Commissioner, Quarterly Statistics Report: April 2018 – June 2018 (31 July 2018) p6.
- Verizon, 2018 Data Breach Investigations Report p33.
- Bryan Cave Leighton Paisner, 2017 Data Breach Litigation Report (8 September 2017) p 2; HIPAA Journal, Aetna settles class action lawsuit filed by victims of HIV status data breach (18 January 2018); Evan Sweeney, Arizona judge pares down class-action suit against Banner Health over 2016 data breach, Fierce Healthcare (21 December 2017); Kelsey Ryan, Children's Mercy faces class action lawsuit over data breach affecting thousands, The Kansas City Star (10 July 2018).
- The Ponemon Institute 2018 Cost of a Data Breach Study Global Overview found that companies with an 'incident response team reduced the cost of a data breach by as much as $14 per compromised record' (p 10) and that 'companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve' (p9).
- Danny Yadron, Los Angeles Hospital Paid $17,000 in Bitcoin to Ransomware Hackers, The Guardian (18 February 2016).
- Paul Farrell, The Medicare machine: patient details of 'any Australian' for sale on darknet, The Guardian (4 July 2017).
- Elizabeth Snell, Heathcare data breach leads to identity theft guilty plea, HealthIT Security (30 March 2018).
- McAfee, Health Warning: Cyberattacks are targeting the health care industry (October 2016); Robert Lord, The real threat of identity theft is in your medical records, not credit cards, Forbes Technology Council (15 December 2017); Ponemon Institute LLC, 2018 Cost of a Data Breach Study, Global Overview (July 2018).
- Verizon, 2018 Data Breach Investigations Report p 33.
Office of the Australian Information Commissioner, Quarterly Statistics Report: April 2018 – June 2018 (31 July 2018) p 14. See also Beazley Breach Insights Report – July 2018 (31 July 2018) which reflects similar findings in the United States, with 38% of all healthcare data breaches surveyed in the second quarter of 2018 being caused by accidental disclosures and 14% by insider incidents, as compared to 26% which were caused by hacking and malware attacks.
- Matthew J Schwartz, Verizon: Most Breaches Trace to Phishing, Social Engineering, BankInfo Security (3 March 2017).
- Royal Australian College of General Practitioners, Standards for general practices (5th edition, July 2017) p 72.
- BusinessWire, Venafi Survey: 79 Percent of Healthcare Professionals concerned about cyber security of personal data (29 March 2018).
- Privacy Act 1998 (Cth), s26WE(2); Office of the Australian Information Commissioner, Identifying eligible data breaches (December 2017).
- US Department of Health and Human Services, Breach Notification Rule (26 July 2013).
Jonathan Crowe, Ransomware Attacks on Healthcare Providers are officially being reported as Data Breaches, Barkly (April 2017).
- Dave Rickard, The Cost of 2017 Data Breaches, CSO (17 January 2018).
- Liz Freeman, Anthem Settles a Security Breach Lawsuit Affecting 80m, USA Today (26 June 2017).
- Greg Meckbach, Privacy class-action lawsuit in Ontario 'settled on incredibly favourable terms', Canadian Underwriter (24 November 2016); Greg Meckbach, Invasion of privacy class-action against Equifax proceeds in Ontario, Canadian Underwriter (1 February 2018).
- Various Claimants v WM Morrisons Supermarket PLC  EWHC 3113 (QB).
- Accenture Newsroom, One in Four US Consumers Have Had their Data Breached, Accenture Survey Reveals (20 February 2017).
- Esther Han, Scandal-hit HealthEngine axes third party referrals, patient reviews, Sydney Morning Herald (5 July 2018).
- Pat McGrath, Clare Blumer and Jeremy Story Carter, Medical Appointment Booking App HealthEngine Sharing Clients' Personal Information with Lawyers, ABC Online (26 June 2018).
- Rohan Pearce, HealthEngine Under Fire from Privacy Organisations, Computerworld (26 June 2018).