HHS data indicates 1,800 huge data breaches since the year of 2009

Almost 1,800 huge data breaches including patient information have occurred since the year of 2009, in accordance to an analysis of publicly available data from the Department of Health and Human Services.

Researchers analyzed HHS data for the period from the day of Oct. 21, 2009, through Dec. 31, 2016. What they discovered is that providers reported more than 1,200 of the reported huge data breaches, while business associates, health plans and healthcare clearinghouses reported the left over breaches.

Additionally, 257 huge data breaches during that time period were reported by 216 hospitals, with 33 suffering more than one breach—several of which were large, significant teaching hospitals.

Results from the retrospective data analysis were recently published in the journal JAMA Internal Medicine.

Although, Ge Bai, lead author of the research and assistant professor at The Johns Hopkins Carey Business School, points out that under HIPAA regulations covered entities are needed to notify HHS of any breach affecting 500 or more people within sixty days from the discovery of the breach.

“With smaller breaches, there is no requirement to report,” claims Bai. As a result, she asserts that the HHS data doesn’t rightly depict the total number of breaches, which might be significantly higher. “We do not know how many breaches really happened in terms of the smaller ones,” in accordance to Bai.

John Suit, chief technology officer at data security vendor Trivalent, claims the study indicates that data protection technology has not been capable to keep up with the digitization of healthcare.

“The result is an extreme risk for sufferers who put their trust in healthcare agencies to deal their medical concerns, but also secure their sensitive and personal information,” says Suit. “To deal this, hospitals, pharmacies, assisted living facilities, insurance providers, and research institutions must reinforce their security strategy and adopt a defense-in-depth approach with multiple layers of protection.”

Suit also notes that traditional encryption is no longer enough to thwart the increasing number of cyber threats. He emphasizes that the healthcare industry “must turn to next generation solutions to secure data at the file level with encryption, shredding and secure storage, which renders personal sufferer data useless to unauthorized parties.”

Nevertheless, Bai makes the case that a fundamental trade-off exists between data security and data access and that “100% zero breaches” with “absolutely no breaches at all” is an unrealistic expectation. “All you can do is handle the risk, not eliminate it,” she summarizes.