Healthcare Again Led All Industries in Cybersecurity Breaches in 2018
Healthcare (Basel). 2020 Jun; eight(ii): 133.
Healthcare Information Breaches: Insights and Implications
Received 2020 Mar 25; Accepted 2020 May 1.
Abstract
The Cyberspace of Medical Things, Smart Devices, Data Systems, and Deject Services have led to a digital transformation of the healthcare industry. Digital healthcare services have paved the fashion for easier and more accessible treatment, thus making our lives far more comfortable. However, the present twenty-four hour period healthcare industry has also become the main victim of external every bit well as internal attacks. Data breaches are not just a concern and complication for security experts; they likewise affect clients, stakeholders, organizations, and businesses. Though the data breaches are of different types, their impact is almost always the aforementioned. This study provides insights into the various categories of data breaches faced by different organizations. The main objective is to exercise an in-depth analysis of healthcare data breaches and depict inferences from them, thereby using the findings to amend healthcare data confidentiality. The written report found that hacking/Information technology incidents are the almost prevalent forms of attack behind healthcare data breaches, followed by unauthorized internal disclosures. The frequency of healthcare data breaches, magnitude of exposed records, and fiscal losses due to breached records are increasing rapidly. Data from the healthcare industry is regarded every bit being highly valuable. This has become a major lure for the misappropriation and pilferage of healthcare data. Addressing this anomaly, the present study employs the simple moving boilerplate method and the simple exponential soothing method of time serial analysis to examine the trend of healthcare data breaches and their cost. Of the two methods, the simple moving average method provided more than reliable forecasting results.
Keywords: healthcare information breaches, data confidentiality, data security, price effectiveness, data analysis, time series analysis, data breach forecasting, price forecasting
1. Introduction
Advances in information and communication technology have helped the healthcare industry to replace paper-based systems with electronic health record (EHRs) systems to provide improve and more cost-effective services to its customers. EHRs heighten patient care, develop patient cooperation, heighten disease diagnosis, improve do efficiency, and brand patient health data attainable all the time [1]. Additionally, smartphones and other web-based smart devices have changed the way nosotros communicate. These devices empower users to easily and conveniently access the online services provided by different organizations. Healthcare is one amongst them. The terminal few years take seen healthcare information become more digitized, distributed, and mobile [2]. The Net of Medical Things (IOMT) has as well played a vital function in this context. Sensitive data are collected past healthcare organizations from their customers and stored on network servers to make them accessible all the time, and to facilitate patient intendance, but unfortunately, every approval has a curse, which also applies hither. The use of smartphones and other smart devices has besides become a fundamental source of privacy breaches [3]. Due to software vulnerabilities, security failures, and homo error, these databases are sometimes accessed by unauthorized users. This leads to the exposure of sensitive data in the form of information breaches. Sometimes, insider attackers cause damage to protected health data, which results in the loss, theft, or disclosure of sensitive healthcare data. The price of a consummate tape file of a single patient can be hundreds of dollars on the dark spider web [4]. In comparison to other data industries, the healthcare industry is amidst the worst affected [five].
Equally reported past many practitioners, from 2005 to 2019, the total number of individuals afflicted by healthcare data breaches was 249.09 meg. Out of these, 157.40 1000000 individuals were affected in the terminal five years lonely [vi]. In the twelvemonth 2018, the number of data breaches reported was 2216 from 65 countries. Out of these, the healthcare industry faced 536 breaches. This implies that the healthcare industry has faced the highest number of breaches among all industries [7]. There were 2013 information breaches reported from 86 countries in the yr 2019 [eight]. The total number of healthcare records that were exposed, stolen, or illegally disclosed in the year 2019 was 41.2 million in 505 healthcare data breaches [8]. According to an IBM report, the average cost of a data breach in 2019 was $iii.92 million, while a healthcare industry breach typically costs $6.45 1000000 [ix]. This cost was the highest in the USA compared to other countries. Usually, a information breach would fetch $8.nineteen million. However, the average toll of a healthcare data breach (average breach size 25,575 records) in the Usa is $fifteen million [10]. The boilerplate cost of a data breach increased by 12% from 2014 to 2019, and the boilerplate toll of a breached tape increased iii.4% in the same time period. Moreover, the price of a breached record in the healthcare sector registered an increase of 19.4%, the highest in this time menstruum [10,11,12,thirteen].
The aforementioned facts and figures testify that the data assets of individuals and organizations are at risk. Even more alarmingly, the healthcare industry in particular is existence targeted by attackers, and is therefore the most vulnerable. Thus, data privacy and confidentiality has go a serious concern for both individuals and organizations. Healthcare data are more sensitive than other types of data considering any data tampering tin lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data demand enhanced security, and should be breach-proof. In this written report, our master business organization was to investigate the healthcare data breaches reported or published past different eminent and authentic sources. Nosotros aimed to examine the causes of these breaches and apply the results to meliorate healthcare data confidentiality. The analyzed factors that atomic number 82 to healthcare data breaches will be addressed in our future research work to improve healthcare information confidentiality.
The rest of this report is divided into the following sections. The Section 2 defines the adopted methodology. The Section 3 provides information about the data sources. The Department 4 frames the analysis of information breaches, providing insights into the information breaches which are pertinent to healthcare. The Department 5 depicts the forecasting of healthcare data breaches. The Section 6 provides a discussion and the summarized results of this piece of work, and the Section vii chronicles the determination of the work.
2. Adopted Methodology
The sole aim of this study was to examine and investigate healthcare data breaches. This investigation was intended to provide insights into the causes and consequences of these occurrences on individuals and organizations. To this end, the authors analyzed different eminent and authentic data sources that included the Privacy Rights Clearinghouse (China), Health Insurance Portability and Accountability Deed (HIPAA) journals, the Role for Civil Rights (OCR) Department of Health and Human Services (HSS.Gov.) USA, Ponemon Plant reports on information breach costs, and Verizon Information Alienation Investigations Reports (Verizon-DBIR). In the adjacent section, we briefly discuss these sources. The format of the data analysis method that was adopted in this study tin can be enumerated in the following steps:
-
First, information are compiled from the sources mentioned above and presented in tabular class.
-
Second, then sum, percentage, and average methods are applied to this data, and different types of patterns are extracted.
-
Third, these patterns will help usa to sympathise the sources and consequences of healthcare data breaches, the ascent and downfall of information breaches, the behavior of different types of attacks, and other important things that are discussed in analysis section of this study.
-
Fourth, a time series assay is applied for healthcare information breach forecasting.
3. Data Sources
The data for the present research try was obtained from the following sources:
China Database: Cathay is a United states of america based, non-turn a profit organization established by Beth Givens in 1992. Its primary purpose is to protect consumer data, to provide consumer advocacy services and guidelines to control personal data, and to improve consumer awareness about the technological furnishings of personal privacy. Information technology provides a complete database of data breaches. The database has a tape of 9016 data alienation instances reported past unlike organizations. Co-ordinate to the China database, more than x billion user records have been compromised since 2005.
HIPAA Journal: The HIPAA journal is an constructive outcome of the HIPAA Deed 1996. It is a US-based periodical that provides comprehensive data nigh healthcare data breaches, guidelines for HIPAA compliance, and practical guidelines for data breach avoidance. It has been providing comprehensive information most healthcare data breaches since September 2009.
OCR Reports: The Part for Civil Rights Section of Wellness and Human Services of the United states likewise provides yearly/bi-yearly or tri-yearly data breach reports, named, "Report to Congress on Breaches of Unsecured Protected Health Information". These reports provide comprehensive information about healthcare data breaches from 2009 to 2017 [14,15].
Ponemon Found Reports: The Ponemon Institute is an eminent inquiry institute that mainly focuses on the protection of data, privacy, and security of information issues and policies. It was established in 2002 in Michigan by Dr. L. Ponemon. The institute's reports are a repository of authentic records on information breach costs, sponsored by IBM.
Verizon-DBIR: Data breach investigation reports past Verizon Enterprises incorporate yearly investigations reports on data breaches. The first such report was published in 2008. The reports tape instances of data invasion in private likewise as public organizations beyond the world.
All these are globally accepted sources of eminent and accurate data on information breaches.
For this enquiry effort, we take premised our assay on the sources that are mentioned above to examine healthcare data breaches and their causes and consequences. These sources have enabled us to garner an in-depth agreement of patterns in data breaches, and take facilitated our research on mapping the implications.
four. Analysis of Data Breaches
Generally, a data breach is an illegal disclosure or use of data without authorization. The United States Department of Wellness and Human being Services defines a information alienation equally "the illegal use or disclosure of confidential health data that compromises the privacy or security of information technology nether the privacy dominion that poses a sufficient risk of financial, reputational, or other blazon of damage to the affected person" [11]. The HIPAA definition of a information breach is "the procurement, access, use or betrayal of confidential health information illegitimately, which compromises the privacy or security of that confidential health information" [14].
Data breaches can harm individuals and organizations in several means. Besides the huge financial setback that organizations accept to deal with in cases of information pilferage, such instances also dent the image of the organizations, marring their reputation and make value. Data breaches are usually classified into two major categories: internal and external. Internal data breaches incorporate incidents that are occur with the aid of an internal agent. These may exist privilege abuse, inauthentic access/disclosure, improper disposal of unnecessary but sensitive information, loss or theft, or the unintentional sharing of confidential information to an unauthorized party. External data breaches are incidents caused past any external entity or source. These include whatsoever hacking/It incident such as a malware attack, ransomware attack, phishing, spyware, or fraud in the form of stolen cards, etc.
The Privacy Rights Clearinghouse (Communist china), a nonprofit organization based in the USA, reported that there were 9016 data breach instances in dissimilar sectors from January 2005 to October 2019. The total number of records exposed in these breaches was more than 10 billion (10,376,741,867) [vi]. The dissimilar types of attacks used to breach the information were Intentional Insider Attacks (INSD), Frauds Using Cards (Carte du jour), Physical Damage such as the theft or loss of paper documents (PHYS), Impairment of Portable Device such as lost or theft (PORT), Hacking or Malicious Attacks (HACK), Stationary Computer Loss (STAT), Unknown Approaches (UNKN), and Unintentional Disclosure (DISC). The organizations that were affected by these information breaches may be classified into the post-obit categories:
Some data breach incidents corresponding to each sector accept been reported in the Red china database. Since in these intrusions, no records were breached, the authors accept non included those numbers in their reference on the representation of data breaches by sector. After an exhaustive analysis of the People's republic of china database, the compiled information was tabulated in Table i.
Table i
Representation of Information Breaches past Sector.
| Proper noun of Sector | Data Breaches in Final 15 Years (2005–2019) | Data Breaches in Terminal v Years (2015–2019) | ||
|---|---|---|---|---|
| Number of Breaches | Percentage (%) | Number of Breaches | Percentage (%) | |
| EDU | 671 | ten.55 | 64 | iii.08 |
| BSF | 410 | 6.45 | 194 | nine.36 |
| BSO | 426 | 6.70 | 113 | 5.45 |
| MED | 3912 | 61.55 | 1587 | 76.59 |
| GOV | 561 | eight.82 | 45 | 2.17 |
| NGO | 75 | 1.eighteen | seven | 0.33 |
| BSR | 300 | 4.72 | 62 | 2.99 |
| Total | 6355 | 99.97 | 2072 | 99.97 |
Table 1 presents information on information breach incidents by sector in two scenarios. The first scenario is a collation of the breach episodes that take occurred in the last 15 years. The 2nd scenario, which is the core focus of our report, records the breach episodes that occurred in the healthcare industry in the last 5 years. A comparative analysis of the two scenarios clearly reveals that the healthcare industry is almost susceptible to data pilfering.
A thorough assay of the entire 15-twelvemonth timeframe shows that the healthcare (MED) sector in both the time frames from (2005 to 2019) and (2015 to 2019) has faced the highest number of data breaches. Out of the 6355 alienation incidents reported during 2005–2019, 3912 were recorded in the healthcare industry alone. This accounts for 61.55% of the total. The MED sector is followed past the EDU and GOV sectors, which account for 10.55% and eight.82%, respectively. Out of the 3912 incidents that the healthcare manufacture faced, 1587 were carried out in the last five years (2015 to 2019), comprising 40.56% of the total healthcare data breaches. This is crusade for smashing warning, and calls for immediate remedial activity.
In the second instance, from 2015 to 2019, there were a full of 2027 data breach incidents faced amid the specified sectors. Out of these 2079 incidents, 1587 were recorded in the healthcare (MED) sector, which is 76.59% of the total. The MED sector is followed by the BSF sector, with a share of 9.36%. Yet, the other sectors show a minor decrease in incidents. The data clearly shows that the healthcare manufacture has become the main victim of data breaches. Moreover, the rate of healthcare data breaches has increased even more rapidly in the terminal five years.
Figure one presents a graphical representation of Table 1. The figure shows that the gradient of the graph in each sector has witnessed a decrease in the second case (2015–2019), except in the MED sector, followed past the BSF sector. The graph indicates that the healthcare industry is the preferred target of attackers because of the high commercial value of EHRs.
Representation of Data Breach Incidents.
iv.one. Healthcare Data Alienation Assay
Generally, healthcare information breaches tin exist divers as "illegitimate access or disclosure of the protected health information that compromises the privacy and security of it". To analyze healthcare data breaches, the authors investigated the MED domain of the Red china database thoroughly [6]. Tabular array 2 provides information about healthcare information breaches reported by Communist china. In this table, the information has been presented in 2 different scenarios. In the offset scenario, data is presented as whole from 2005 to 2019. In the 2nd scenario, we presented the information in iii clusters, i.eastward., from 2005 to 2009, 2010 to 2014, and 2015 to 2019. The objective of information clustering is to detect changes in the trends of healthcare data breaches with the passage of time.
Table ii
Types of Attacks on MED Sector and Number of Individuals Afflicted.
| Type of Attack | Scenario-I | Scenario-II | ||||||
|---|---|---|---|---|---|---|---|---|
| Number of Breaches | Individuals Affected in Millions | Number of Breaches | Individuals Affected in Millions | |||||
| (2005–2019) | (2005–2019) | (2005–2009) | (2010–2014) | (2015–2019) | (2005–2009) | (2010–2014) | (2015–2019) | |
| DISK | 1019 | thirteen.71 | 28 | 406 | 585 | 0.75 | vi.41 | 6.55 |
| HACK | 806 | 161.05 | 8 | 241 | 557 | 0.threescore | 14.70 | 145.75 |
| INSD | 181 | 1.24 | 21 | 146 | 14 | 0.24 | 0.93 | 0.07 |
| PHYS | 1315 | 35.85 | 33 | 905 | 375 | 0.fourteen | 31.33 | four.38 |
| PORT | 382 | 23.71 | 94 | 238 | 51 | 11.05 | 12.02 | 0.64 |
| STAT | 86 | x.08 | 14 | 72 | ane | 0.44 | nine.64 | 0.0009 |
| UNKN | 123 | 3.42 | 4 | 115 | four | 0.27 | 3.fifteen | 0.0008 |
| Total | 3912 | 249.09 | 202 | 2123 | 1587 | 13.49 | 78.18 | 157.40 |
Analysis of Tabular array ii shows that 249.09 million people were the victims of healthcare data breach episodes. From 2005 to 2009, 13.49 meg Health Records were exposed, i.e., v.41% of the full number of cases. In the period from 2010 to 2014, 78.18 million records were exposed; this makes up 31.38% of the full. From 2015 to 2019, 157.forty one thousand thousand records were exposed, that is, 63.19% of the total. In addition, out of 249.09 one thousand thousand records, 161.05 were exposed through hacking attacks that comprised 64.65% of the total exposed health records from 2005 to 2019. An interesting design that tin can exist detected here is that:
-
In starting time cluster of five years (2005 to 2009), only 0.half dozen 1000000 records were exposed through hacking.
-
In the second cluster of 5 years (2010–2014), 14.seventy million records were exposed through hacking.
-
In the 3rd cluster of 5 years (2015–2019), 145.75 million records were exposed.
Thus, it is evident that the healthcare industry has been inundated by hackers in the last five years, compromising 90.49% of wellness records during this time period.
This analysis places the healthcare industry in a very vulnerable position. Nonetheless another facet to note is the types of attacks employed for information breaches. Other than HACK attacks, the healthcare sector has too been targeted by PHYS and PORT attacks. Reports state that 14.39% of PHYS attacks and ix.51% of PORT attacks were engineered from 2005 to 2019. But in last five years (2015 to 2019), a significant decline has been recorded in the numbers of HACK and PHYS attacks. Only 1.75% of reported attacks from 2015–2019 were HACK, and as few as 0.25% were PHYS. The highest number of data breaches from 2005 to 2019 was in the grade of Disk type attacks. There were equally many as 1019 Deejay attacks out of a total of 3912 data breach incidents, comprising 26.04% of the total. However, these attacks only succeeded in exposing thirteen.77 one thousand thousand records.
Figure 2 and Figure three depict the proportion of records exposed with each type of assail, given in percentages, from 2005 to 2019 and 2015 to 2019, respectively. Both figures show that hacking is the main crusade behind the exposure of highly sensitive health records. The figure too shows an abrupt increase in hacking incidents in the same time zone.
Proportion of Records Exposed From 2005–2019 with Different Types of Attack.
Proportion of Records Exposed from 2015–2019 with Dissimilar Types of Attack.
Furthermore, Effigy 2 and Figure three evidence that the INSD (Intentional Insider Attacks) and UNKN (Unknown Approach)-type attacks accept the least result on the healthcare industry. INSD and UNKN were responsible for only 0.5% and i.36%, respectively, of the total number of exposed records from 2005 to 2019. The blazon of attacks that accept shown a rapid subtract in the last five years (2015–2019) are PHYS, from 14.39% to 2.78%, PORT, from nine.52% to 0.iv%, and STAT, (Stationary Computer Loss) from four.04% to 0.0006%.
CARD (Fraud involving Debit and Credit Cards) is a blazon of attack mentioned in the OCR database specifications, just we could not confirm any such data breaches. Hence, we have not included Menu in our analysis. Cyber-attacks are carried out to disrupt estimator server systems, and in our study, we have bracketed them nether the umbrella of Hacking/IT incidents.
4.2. HIPAA and OCR Data Alienation Report Assay
The authors of this written report accept also compiled the data of healthcare breaches published by the HIPAA journal from 2010 to 2019. The data were outsourced and analyzed from different monthly, yearly, and other reports published past HIPAA. It is not possible to provide references of every HIPAA journal report that we referred to in compiling the data; therefore, we have only cited the main references of the journal reports. These references cosign our data. The information are presented in Table 3 [8,16,17]. We found quantitative variations in some reports while compiling the aforementioned data, east.thousand., the number of information breaches reported in 2014 was 307 in one HIPAA report and 314 in another. In such contradictory cases, nosotros opted to have the information from the latest report.
Table 3
HIPAA Reported Healthcare Data Breaches.
| Twelvemonth | Number of Data Breaches | Exposed Records in Millions |
|---|---|---|
| 2010 | 199 | v.530 |
| 2011 | 200 | 13.150 |
| 2012 | 217 | two.800 |
| 2013 | 278 | 6.950 |
| 2014 | 314 | 17.450 |
| 2015 | 269 | 113.270 |
| 2016 | 327 | 16.400 |
| 2017 | 359 | 5.100 |
| 2018 | 365 | 33.200 |
| 2019 | 505 | 41.200 |
| Total | 3033 | 255.xviii |
In Table iv, we nowadays the compiled information of unlike reports generated past the Office for Civil Rights with the title proper name "Written report to Congress on Breaches of Unsecured Protected Wellness Data" from 2010 to 2017. The OCR data breach reports for the years 2018 and 2019 have not been published by the OCR still [fifteen].
Table iv
Reported Healthcare Data Breaches.
| Year | Number of Data Breaches | Individuals Afflicted in Millions |
|---|---|---|
| 2010 | 207 | v.400 |
| 2011 | 236 | 11.410 |
| 2012 | 222 | iii.270 |
| 2013 | 294 | 8.170 |
| 2014 | 277 | 21.340 |
| 2015 | 289 | 110.700 |
| 2016 | 334 | 14.570 |
| 2017 | 385 | 5.740 |
| 2018 | − | − |
| 2019 | − | − |
| Total | 2244 | 108.lxxx |
To check the accuracy and consistency of the data, nosotros compared it only with the compiled data of HIPAA and OCR reports from 2009 to 2017 because of the unavailability of OCR information for 2018–2019. A comparative study of the HIPAA and OCR data breach reports shows a small-scale variation in number of breaches recorded each yr and the number of exposed records from these breaches. The full number of breaches reported by HIPAA from 2010 to 2017 was 2163, and the full number of records exposed from these breaches was 180.65 million, while the full number of breaches reported by the OCR for the same period was 2244, and the total number of records exposed from these breaches was 180.6 million. The HIPPA and OCR information notation that the highest number of data breaches was reported in 2017, whereas the highest number of records was exposed in 2015.
The data analysis in Tabular array 3 and Table four shows that the healthcare sector saw a mercurial rising in data alienation cases in 2015, when more than than forty% of the health records were exposed. Afterwards 2015, the maximum number of health records was exposed in the 2019. The number of cases accounted for 16.fourteen% of the total of 255.18 meg exposed health records from 2010 to 2019. The compiled data also shows that the number of healthcare data alienation cases was considerably less in the 2017, when simply 5.ane or 5.7 one thousand thousand records were breached. An overall analysis indicates that the data breach tendency started to show an precipitous increase from the twelvemonth 2014.
4.two.1. Data Disclosure Types
A comprehensive analysis was carried out on HIPAA data breach reports. It was establish that the main disclosure types of protected healthcare information were hacking incidents, unauthorized admission (internal), theft or loss, and improper disposal of unnecessary data. The procedure that we discussed in Section four.2 for references [8,17,eighteen] is also followed in this context. The different disclosure types mentioned to a higher place are briefly explained beneath:
Hacking Incidents: Hacking incidents comprise all cyber-attacks that are used to gain unauthorized admission to confidential information. Ransomware and malware are the chief approaches that are used to expose protected health data [8,17].
Unauthorized Admission (internal): These includes all types of attacks that lead to the exposure of confidential health data with the help of any internal source of an system. This may be abuse of privileges, unauthenticated access/disclosure, etc.
Theft or loss: This comprises all incidents that pb to the disclosure of protected health data in the form theft or loss, such every bit the theft of hard disks, laptops, or whatsoever other portable device that contains protected healthcare information. This can as well be because of catastrophic damage or the loss of these devices.
Improper disposal of unnecessary data: Unnecessary merely sensitive and confidential data should be properly disposed of and then that it cannot later be retrieved. Improper disposal of this data tin lead to the disclosure of protected health information. Improper disposal attack type includes all breached incidents that are caused past the improper disposal of unnecessary only sensitive and confidential health data.
Table five presents detailed information most the number of healthcare data breach incidents carried out with these disclosure types.
Table 5
Type of Healthcare Information Breaches.
| Year | Disclosure Types | |||
|---|---|---|---|---|
| Hacking/IT Incidents | Unauthorized Access/Disclosure (Internal) | Theft/Loss | Improper Disposal | |
| 2010 | viii | eight | 148 | 10 |
| 2011 | 17 | 27 | 136 | vii |
| 2012 | 16 | 25 | 138 | 8 |
| 2013 | 25 | 64 | 150 | xiii |
| 2014 | 35 | 76 | 143 | 12 |
| 2015 | 57 | 101 | 105 | half dozen |
| 2016 | 113 | 129 | 78 | 7 |
| 2017 | 147 | 128 | 73 | eleven |
| 2018 | 158 | 143 | 55 | 9 |
| 2019 | 274 | 142 | 51 | 7 |
| Total | 850 | 843 | 1077 | ninety |
In this tabular array, we present the number of alienation incidents executed by a particular disclosure type from 2010 to 2019. As per the table, the following facts can be underscored:
-
From 2010 to 2019, a total of 2860 breached incidents were carried out through the aforementioned disclosure types.
-
29.72% of breach instances were due to separately hacking/ IT incidents.
-
29.47% of breach instances were due to internal unauthorized disclosures.
-
37.65% of instances were due to theft/loss cases.
-
iii.fourteen% of instances occurred due to the improper disposal of unnecessary but sensitive data.
-
The overall results bear witness that theft/loss cases are the highest in number, followed by Hacking/It incidents and unauthorized internal disclosure, while at that place are very few cases of improper disposal in the 10-twelvemonth menstruation.
-
When nosotros analyzed the blueprint over the final four years, we found an abrupt increase in hacking/It incidents. Out of the 850 hacking/It incidents reported in ten years (2010–2019) period, 692 incidents were reported in the terminal 4 years alone (2016–2019); that accounts for 81.85% of the total, amongst which 32.23% were reported in 2019 alone.
Thus, this analysis conspicuously depicts that hacking and other IT-related attacks have become a serious business for the healthcare data manufacture. Unauthorized access/ internal disclosure have also shown an increase in the last few years, but not as fast as hacking incidents. Out of the total of 843 unauthorized internal disclosure incidents, 542 were reported in the final iv years. This figure comprises 64.29% of the total, and out of this, 16.84% incidents were reported in 2019. A comparison of this proportion (16.84%) with final year (2019) shows that hacking incidents increased by 32.23%. This is double the number of unauthorized internal disclosure incidents. Here, nosotros also found how hacking incidents became more frequent and became a astringent concern for the healthcare sector.
On the other hand, theft/loss and improper disposal take shown a articulate subtract in the last four years. Out of a full of 1077 theft/loss incidents, only 257 were reported in the last four years, that is, 23.86% of the full. Furthermore, out of a total of 90 improper disposal cases, just 34 were reported in concluding four years, that is, 37.77% of the full. These calculations show that theft/loss and improper disposal have a far less agin effect on the healthcare industry. Figure 4 provides a graphical presentation of different disclosure types.
Graphical Presentation of Different Information Disclosure Types.
The above graph shows that theft/loss and improper disposal incidents have decreased in frequency, but that hacking/IT incidents and unauthorized access incidents take increased. Notably, hacking/IT incidents accept shown an sharp increase over the last few years. In the adjacent subsection, we will discuss the locations of breached data and from where the sensitive health information has been breached/disclosed.
4.2.two. Breached Locations
Protected health information is stored either on paper or on electromechanical storage devices. This section details the locations from where the protected health information is breached through different approaches. Yearly information most the location of data breach incidents is shown in Table vi. The data presented in this table were compiled from OCR and HIPAA reports. In this context, we also followed the same procedure as discussed in Section 4.2. We accept provided only the important references [eight,13,17,18,xix,20,21], because for 2018 and 2019, nosotros referred to 24 different reports, and including all of them in this report would non be feasible.
Table 6
PHI Breached Location.
| Year | EMR | Laptop | Desktop Computer | Other PED | Newspaper/Films | Network Server | Electronic mail | Other | Total |
|---|---|---|---|---|---|---|---|---|---|
| 2019 | 39 | 23 | 32 | 14 | 58 | 117 | 199 | 45 | 527 |
| 2018 | 26 | 25 | 33 | 20 | 62 | 66 | 115 | 35 | 382 |
| 2017 | 34 | 20 | 38 | xviii | 62 | 82 | 92 | 39 | 385 |
| 2016 | 30 | 25 | 26 | xvi | 73 | 83 | 51 | 30 | 334 |
| 2015 | 27 | 34 | 29 | nineteen | 70 | 52 | 32 | 26 | 289 |
| 2014 | 13 | 43 | 24 | 19 | 57 | 49 | 42 | xxx | 277 |
| 2013 | 16 | lxx | 39 | 23 | 57 | 31 | 26 | 32 | 294 |
| 2012 | v | 60 | 27 | xx | l | thirty | 8 | 22 | 222 |
| 2011 | 5 | 48 | 32 | 30 | 65 | 21 | 3 | 32 | 236 |
| 2010 | 0 | 49 | 26 | 37 | 21 | 12 | 2 | 60 | 207 |
| Full | 195 | 397 | 306 | 216 | 575 | 543 | 570 | 351 | 3253 |
In Table 6, eight locations, i.e., Electronic Medical Records (EMR), Laptop, Desktop computers, Other Portable electronic devices, Paper documents, Network Server, Email, and Other, are the locations from where the protected health information (PHI) was breached. According to the analysis, out of the 8 locations, Paper/Movie is the well-nigh susceptible to breaches. It saw 575 breached incidents out of a full of 3253 incidents, accounting for 17.67% of the total number of episodes during 2010 to 2019. The leading position of Paper/Films is because of the improper disposal of unnecessary but sensitive healthcare information. Paper/Films is followed by Electronic mail, which represented 17.52%, and Network servers, which deemed for16.69% of the total.
Electronic Medical Records (EMR) saw the least fewest instances of intrusion, with only 195; this is only v.99% of the total of 3253 incidents carried out in the aforementioned time period. EMR is followed past the Other Portable Electronic Devices (PED) which fabricated upwardly vi.64% of the total. Desktop computers accounted for nine.40% of the full. As per the data, the attacks on E-mail and Network Server locations showed a marked increase from 2016–2019. Out of a full of 570 Email location based data breach incidents, 457 were reported in the last four years (2016 to 2019), of which 35.03% were reported in the year 2019 only. Moreover, out of a total of 543 Network server location-based information breach incidents, 348 were reported in the last four years (2016 to 2019). Yet once more, 22.03% of these cases were reported in 2019 alone. This is because of the digitization of healthcare organizations and the excessive utilise of smart devices past customers. Studies as well show that outdated security software, Database servers without passwords, and email accounts with weak or no passwords are the near common reasons behind these breaches. Our assay too revealed that Newspaper/Films, Desktop computers, and Laptops have shown a small decrease in the number of breaches over the terminal four years.
Our study observed that at present, attacks on sensitive healthcare information are being perpetrated by cyber criminals who apply different techniques such as malware, ransomware, or phishing attacks [8,17] to prey on EHRs. Electronic mail and Network servers have go set on-prone locations for hackers. Effigy 5 shows a comparative representation of these locations on the basis of the number of breached incidents every year carried out on each location. Graphical representation will help the reader to understand the results that we have produced through this analysis, and will also aid to map the variation of healthcare data breach incidents carried out on specified locations over a ten-year catamenia.
Comparative Graphical Representation.
4.three. Financial Effect of Data Breaches
Data alienation price calculation is a complex task. Different institutions have set parameters and applied different techniques to estimate the average cost of data breaches. The Ponemon Institute calculates both straight and indirect expenses incurred by an organisation to make up one's mind the average cost of a data breach. This department discusses the financial effects of data breaches, and mainly focuses on healthcare data breaches. For this purpose, the information breach cost reports generated by the Ponemon Constitute sponsored by IBM were analyzed to decide the financial effects of data breaches on individuals, organizations, and countries. Table 7 provides information near data alienation costs from 2010 to 2019. The data presented in this table were compiled from different Ponemon-IBM sponsored information breach cost reports [12,13,22,23,24,25,26,27].
Table 7
Price of Data Breaches.
| Year | Average Cost of Breach in Millions | Average Price Per Record | Cost Per Record in Healthcare |
|---|---|---|---|
| 2010 | $7.24 | $214 | $294 |
| 2011 | $5.50 | $194 | $240 |
| 2012 | $3.twenty | $136 | $233 |
| 2013 | $3.29 | $140 | $296 |
| 2014 | $3.l | $145 | $359 |
| 2015 | $3.79 | $154 | $363 |
| 2016 | $4.00 | $158 | $355 |
| 2017 | $iii.62 | $141 | $380 |
| 2018 | $3.86 | $148 | $408 |
| 2019 | $3.92 | $150 | $429 |
Data breach price analysis shows that healthcare breached record costs accept increased rapidly compared to the average price of a breached record. The average record toll was $214 in 2010, but in 2011, it had decreased by 10%. In 2012, it decreased by 42.64% from the previous yr. After that, it gradually increased or decreased year by year; in 2019, information technology increased past ane.55% from the previous year. From 2010 to 2019, the healthcare breached tape cost increased by 45.91% from $294 to $429. The price of each breached record in the healthcare sector was $294 in 2010; this figure decreased until 2012, subsequently which it increased past 1.11% from 2014 to 2015, 7.04% from 2016 to 2017, and 5.14% from 2018 to 2019. The 2018 Verizon DBIR report showed that 76% of data breaches carried out in 2018 were financially motivated [7]. In line with that written report, it was shown that 83% of healthcare data breaches had financial motives [21]. Figure six provides a graphical cost comparing of average breached record costs and healthcare breached tape costs by year. In the next subsection of this report, we will perform a fourth dimension serial analysis to find the trend of healthcare data breaches and their costs.
Graphical Comparison of Average Record Cost and Healthcare Tape Cost.
5. Forecasting of Healthcare Information Breaches
The fourth dimension series analysis is a statistical approach that is used for forecasting or trend assay; it works on data sets ordered in time, or deals with time series information. Time serial information defines the set up of values that a variable takes at different times. In this study, the Unproblematic Moving Average (SMA) and Simple Exponential Smoothing (SES) methods of time serial were applied to the information to make up one's mind the tendency of healthcare data breaches and their cost on the healthcare manufacture. Two methods of fourth dimension series were applied to the aforementioned data in this study to determine the variations, if any, and to brand the forecasting results more consequent.
The Simple Moving Average (SMA) method has been adopted extensively to go on update forecasts. This method is based on the calculated averages of subsets of a data set up. The moving average can be calculated by making subgroups of observations. It can include two, three, 4, or five ascertainment groups. Afterward calculating the moving average, it was used to forecast the side by side period [25].
At = (Ot + Ot-1 + … + Ot-n + one)/n
(i)
where At is moving average at fourth dimension t, which is the forecast value at time t + 1; Ot is Observation at time t; and 'due north' is number of observations in an interval or sub-group [28].
Here we have the interval of two observations every bit a subgroup, and the moving averages are calculated. Table 8 summarizes the forecast information nearly healthcare data breaches via the SMA method. Here, the bodily values represent known observations, while the forecast values are the predicted values calculated using the SMA method. With the help of the data assay tool in Microsoft excel, we generated the forecast results and compared them with manually calculated results with the aid of Equation (one) for accuracy. In the interests of brevity, we have only showed the final forecast results in tabular and graphical form. Figure 7 provide a graphical presentation of the forecast data breaches, while Figure viii cites the forecast costs for breached healthcare records.
Forecasting Graph of Healthcare Data Breaches from 2010–2020 through SMA method.
Forecasting graph of Healthcare Record Cost since 2010–2020 through SMA method.
Table 8
Healthcare Data Breach Forecasting through SMA method.
| Yr | Number of Data Breaches (Bodily Values) | Forecast Values by SMA Method | Price Per Record in Healthcare (Actual Values) | Forecast Values by SMA Method |
|---|---|---|---|---|
| 2010 | 199 | N/A | $294 | N/A |
| 2011 | 200 | 199.5 | $240 | $267 |
| 2012 | 217 | 208.5 | $233 | $237 |
| 2013 | 278 | 247.5 | $296 | $265 |
| 2014 | 314 | 296 | $359 | $328 |
| 2015 | 269 | 291.5 | $363 | $361 |
| 2016 | 327 | 298 | $355 | $359 |
| 2017 | 359 | 343 | $380 | $368 |
| 2018 | 365 | 362 | $408 | $394 |
| 2019 | 505 | 435 | $429 | $419 |
| 2020 | − | 505 | − | $429 |
In Figure 7, the green curve represents actual data breaches, while blue represents forecast data breaches calculated on the basis of the moving average. Both curves are shut to each other and evidence an increasing tendency. However, the bodily curve e'er lies in a higher place the forecast line, which predicts that the magnitude of data breaches will increase in the coming years. Hence, all necessary and preventive measures have to be taken by researchers, security experts, and healthcare organizations to minimize this.
Figure 8 presents the results of toll forecasting of exposed wellness records, determined using the SMA method. The actual and forecast curves are close to each other from the kickoff to the end. Nevertheless, the bodily bend consistently grows from the upper side. The forecast curve shows that the price of healthcare breached records increases consistently. From this tendency, we can predict that in future, the cost of healthcare breached records will increase, albeit gradually.
Simple Exponential Smoothing (SES) is a forecasting method used for univariate data. It is 1 of the virtually popular forecasting methods that uses the weighted moving boilerplate of past data every bit the ground for a forecast. Unlike the Simple Moving Average method, the thought of this method is to provide the highest weights to recent data points (observations) and the lowest weights to older data points (observations) [29]. Information technology is better known for short-term forecasting, and its accuracy strongly depends on the optimal value of the smoothing constant, α. The value of α is between 0 and 1. When α is close to one, fast learning is indicated (in this case, forecasting is influenced by only the nigh recent values), whereas when α is close to 0, slow learning (in that case, forecasting is influenced by old observations) occurs. The general formula for SES is:
Ft+1 = α yt + (1 − α) Ft
(2)
where Ft+ane is the forecast value at time t + 1, α is the smoothing constant, yt is a known value at time t, and Ft is the forecast value of the variable Y at the time t [29]. Here, we have the value of α = 0.4 and then every bit to attain a balanced influence of observations on the forecasting results. Table 9 provides the forecast results of healthcare data breaches and their toll, determined using the SES method. The forecast values were calculated on the footing of actual (known observations) values using Equation (2). After, we compared the results with those generated past the data analysis tool in MS-Excel to verify the accurateness. The final results of the forecasting are presented in Tabular array 9.
Tabular array 9
Healthcare Data Breach Forecasting Using the SES method.
| Yr | Number of Data Breaches (Actual Values) | Forecast Values past SES Method | Cost Per Record in Healthcare (Actual Values) | Forecast Values by SES Method |
|---|---|---|---|---|
| 2010 | 199 | N/A | $294 | N/A |
| 2011 | 200 | 199 | $240 | $294.00 |
| 2012 | 217 | 199.half-dozen | $233 | $261.60 |
| 2013 | 278 | 210.04 | $296 | $244.44 |
| 2014 | 314 | 250.816 | $359 | $275.37 |
| 2015 | 269 | 288.7264 | $363 | $325.55 |
| 2016 | 327 | 276.8906 | $355 | $348.02 |
| 2017 | 359 | 306.9562 | $380 | $352.twenty |
| 2018 | 365 | 338.1825 | $408 | $368.88 |
| 2019 | 505 | 354.273 | $429 | $392.35 |
| 2020 | − | 444.7092 | − | $414.34 |
Effigy 9 summarizes healthcare data breach forecasting using the SES method. The bodily bend of the graph always moves to a higher place the forecast curve except at information bespeak 6, where the forecast data point value is higher than the actual (known) value. For the twelvemonth 2020, merely a forecast value was available, which we predicted on the basis of previous historical data.
Forecasting Graph of Healthcare Data Breaches from 2010–2020 using the SES method.
Figure 10 presents the results of cost forecasting of exposed wellness records, as determined using the SES method. The data points on the actual curve represent the original values of observations, whereas those on the forecast curve represent prediction (forecasting) values.
Forecasting graph of Healthcare Record Costs from 2010–2020 Using the SES method.
6. Word
The transformation of the healthcare manufacture from one that uses paper-based systems to one that is based upon electronic health record systems has been made possible considering of smart phones, information systems, IOMT, cloud services, internet connectivity, and other spider web based smart devices. Advances in information and advice technology have fabricated healthcare data more digitized, distributive, and mobile. Despite the numerous advantages of EHRs, the digital health data of patients is at huge adventure today. As chronicled in our report, data breach trends accept likewise undergone a massive transformation. The comprehensive analysis undertaken in this study reveals that the healthcare industry is the focus of many cyber invaders. Moreover, we analyzed different information breach reports generated by different organizations and institutes to proceeds insights, and apply them, in our hereafter research piece of work. The final results which from this written report are:
-
More than than x billion records were exposed from different sectors from 2005 to 2019. These sectors were MED, BSF, BSO, EDU, NGO, BSR, and GOV.
-
There have been 3912 confirmed information breach cases in the healthcare sector alone. Nigh 43.38% of health data was compromised from 2005 to 2019, the highest among all sectors.
-
The greatest number of alienation attacks on EHRs was initiated by Hacking (HACK). Statistics show that more than 64% of health data was breached from 2005–2019. Moreover, in the concluding five years (2015–2019) alone, hacking incidents exposed more than 92% of records. This shows an alarming change in hacking attacks on healthcare organizations. Other types of attacks that affected the healthcare industry were PHYS and PORT, being the causes of 14.39% and 9.51% of the total exposed records from 2005 to 2019, respectively.
-
HIPAA and OCR reports also showed that hacking/It incidents are the chief crusade backside healthcare data breaches. Equally per the HIPAA reports, 255.18 one thousand thousand people were affected from 3051 healthcare data breach incidents from 2010 to 2019.
-
The main types of attacks used to alienation protected health data are Hacking/IT incidents, unauthorized access/ internal disclosure, Theft/loss, or Improper disposal. However, in the final 3 or four years, theft/loss and improper disposal take shown a decreasing trend. In contrast, hacking/IT incidents and unauthorized internal disclosures have shown a marked increases, especially hacking incidents, which have increased very apace in frequency in terminal few years.
-
Hacking/Information technology incidents have increased by 73.iv% in 2019 from 2018. However, unauthorized internal disclosure, theft/loss, and improper disposal decreased by 0.7%, 7.8%, and 22.22%, respectively, from 2018 to 2019.
-
The chief locations from where confidential healthcare data were breached over the final four years were email and network servers. Paper/Films have also been major targets since 2010, although there has been a decrease in attacks on Paper/Films in the last iv years.
-
In the healthcare manufacture at nowadays, the boilerplate cost of data breach is $6.45 million, upwards from $iii.92 million in 2019 [ix]. The average cost of a breached tape is $150. But in the healthcare manufacture, the cost of each breached record was $429 in 2019 [13]. The average cost of each record increased by one.35% in 2019 relative to 2018, and the cost of each breached tape in the healthcare sector increased by five.14% in 2019.
-
The SMA and SES methods of fourth dimension series analysis were used for healthcare data breach and cost forecasting. The generated results indicated that SMA provides more authentic forecast results than SES. SMA produced results which showed more symmetry with the actual results than the SES results.
7. Conclusions
From our analysis of healthcare information breaches, the authors concluded that E-health data is highly susceptible, as it is targeted most frequently by attackers. A long-term assay of data breaches showed that healthcare records were exposed by both internal and external attacks, such as hacking, theft/loss, unauthentic internal disclosure, and the improper disposal of unnecessary only sensitive data. Nevertheless, our brusk-term analysis showed that hacking/IT incidents are nigh commonly used past attackers. Furthermore, the curt-term analysis too showed that Email and Network servers are the main locations from where confidential health data is beached. Our cost analysis showed that healthcare data breaches are far more expensive than the average cost of data breaches, especially in adult countries. The time serial analysis results showed that both data breaches and their costs will increment in hereafter. Hence, preventive measures need to be prioritized by the researchers, security experts, and healthcare organizations.
There are several other aspects that demand to be focused upon in research that seeks to provide insights into healthcare information breaches. The authors of the present study only used the most pertinent ones. Nevertheless, the authors intend to pursue the following specific domains in the future:
-
Place and address the primary victims of cyber-attacks on the healthcare sector.
-
Undertake a study that investigates whether healthcare organizations are defective usable-security measures because of the absence of accountability and improper training of employees and clients.
-
Classify hacking/It incidents that led to healthcare information breaches.
-
Identify preventive measures that should be taken to avoid healthcare data breaches.
Acknowledgments
Authors are grateful to the Higher of Reckoner and Data Sciences, Prince Sultan University for providing the funds to undertake this research study.
Writer Contributions
A.H.South., A.Thou.S., M.Z. and G.A. contributed to the motivation, the estimation of the method effects and the results. R.Yard. proposed pocket-size suggestions. A.H.S., A.A. and R.A.1000. provided the concept, prepared the draft versions, performed the evaluation and extracted the conclusions. A.A. and R.A.Thou. supervised the written report. All authors have read and agreed to the published version of the manuscript.
Funding
College of Figurer and Information Sciences, Prince Sultan Academy, Kingdom of saudi arabia.
Conflicts of Interest
The authors declare no conflict of involvement.
References
two. Kamoun F., Nicho M. Human and organizational factors of healthcare information breaches: The Swiss cheese model of data alienation causation and prevention. Int. J. Healthc. Inf. Syst. Inform. 2014;ix:42–sixty. doi: ten.4018/ijhisi.2014010103. [CrossRef] [Google Scholar]
iv. Chernyshev M., Zeadally S., Baig Z. Healthcare information breaches: Implications for digital forensic Readiness. J. Med. Syst. 2019;43:7. doi: 10.1007/s10916-018-1123-2. [PubMed] [CrossRef] [Google Scholar]
5. Liu V., Musen M.A., Chou T. Information breaches of protected health data in the United States. JAMA. 2015;313:1471–1473. doi: 10.1001/jama.2015.2252. [PMC free article] [PubMed] [CrossRef] [Google Scholar]
xi. Wikina South.B. What caused the breach? An examination of utilize of information technology and health Information breaches. Perspect. Health Inf. Manag. 2014;xi:one–xvi. [PMC complimentary article] [PubMed] [Google Scholar]
14. Collins J.D., Sainato 5.A., Khey D.N. Organizational Data Breaches 2005–2010: Applying SCP to the Healthcare and Education Sectors. Int. J. Cyber Criminol. 2011;v:794–810. [Google Scholar]
23. 2018 Cost of Data Breach Study: Affect of Business Continuity Direction. [(accessed on 12 February 2020)]; Available online: https://www.ibm.com/downloads/cas/AEJYBPWA.
29. Ostertagova Due east., Ostertag O. Forecasting Using Uncomplicated Exponential Smoothing Method. Acta. Electrotech. Inform. 2012;12:62–66. doi: 10.2478/v10198-012-0034-2. [CrossRef] [Google Scholar]
Manufactures from Healthcare are provided here courtesy of Multidisciplinary Digital Publishing Constitute (MDPI)
Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7349636/
0 Response to "Healthcare Again Led All Industries in Cybersecurity Breaches in 2018"
إرسال تعليق