Healthcare Cybersecurity: A review of the industry

August 09, 2018

Every day, journalists covering healthcare information technology publish articles about the latest cyberattack or how woefully unprepared our IT infrastructure is for today’s advanced hacking techniques.  These articles do their best to emphasize that due to the comprehensive nature of patient records, a healthcare data breach compromises not only patient privacy, but also patient safety and even national security.  Yet, we’ve found these reports have slowly become a form of white-noise in the Health IT media that has lulled the industry into passive acceptance.  While we run the risk of adding to these reports, we at HGP believe it’s important to continue the conversation around healthcare cybersecurity, as well as highlight investment activity into efforts to address this large and complex problem.

To start, we wanted to address the severity of the situation by looking at the data.  One of the many benefits of the HITECH Act is the requirement of the U.S. Department of Health and Human Services to collect and publicly post a list of breaches of unsecured protected health information (PHI) affecting 500 or more individuals.  The following charts highlight a couple key findings:

2015 saw a number of significant high-profile breaches of millions of patient records, the most significant of which being the breach of 78.8 million records by Anthem.  By contrast, 2017 was the first year since 2009 in which there were no reported breaches of more than 1 million records.  2018 has so far followed the trend of 2017 in having a relatively large number of less significant breaches, likely reflecting a different focus of hackers on smaller targets.

Looking at the types of breaches reported over time, we can see a strong increase in the proportion of breaches involving intentional hacking efforts and unauthorized disclosures.  As EMR’s have become nearly universally used over the last decade, the number of opportunities for more traditional theft have decreased, while hacking targets have grown exponentially. 

As well as the type of breach, HHS reports the location of breached information – a set of data that is equally if not more interesting than the types of breaches over time.  Email has become a significant entry-point for attacks compared to 2010, while breaches through personal devices have more than halved since 2010 as stronger and more pervasive encryption policies have been instituted. Network servers have been a relatively consistent target of attacks, with the beginning of 2018 showing a slight decline from the peak in 2016 and 2017.  It is still too early to tell whether the decline in network server attacks will continue.  Interestingly, paper & film breaches have held steady at approximately 20% of breaches for nearly a decade – a trend we were not expecting to see before scrutinizing the data.

Naturally, most breaches are by healthcare providers themselves, however it is interesting to see that the number of breaches by health plans have increased over the last decade from ~10% to ~15%.  At the same time, the proportion of breaches by business associates (most commonly information technology vendors) have decreased significantly to less than 10% of total breaches from a high of 20%+.  Our theory is that business associates are more cautious and stringent about security than other market participants since they risk losing significant business if they lose their client’s data.  Providers and health plans do not feel the same business-driven pressures since patients often do not choose their provider based on their perception of the provider’s level of information security.

Of course, a problem as serious as healthcare’s woeful cybersecurity with serious economic consequences for breaches of any size has encouraged innovative companies and investors to tackle the problem head-on.  While many cybersecurity firms are generalists (think Symantec, IBM, FireEye, and McAfee), a few have focused on healthcare’s peculiarities, with some raising significant capital.  Below is a listing of significant healthcare cybersecurity investments HGP has seen in the market.

 

Below are some relevant articles for continued reading regarding healthcare cybersecurity: