Physical breaches were still the dominant form of breach in healthcare, but "as the transition to electronic medical records continues, the healthcare sector will increasingly face the same challenges in securing digital data that other sectors have been grappling with for several years," according to the report.
This article originally appeared in California Healthfax.
Healthcare providers accounted for 16% of all data breaches in California last year and nearly one-quarter were the result of hacking and malware, according to a new report released in February.
The 2016 California Data Breach Report from the state Attorney General's Office found the healthcare sector was third only to retail (25%) and finance (18%) as the most vulnerable to breaches. The healthcare sector was also cited as doing a poor job of encrypting data that is often stolen in physical breaches, although it has improved its security in the past two years.
"The [healthcare] industry appears to be improving on its use of encryption to protect data on laptops and other portable devices, but there is still a long way to go in addressing this preventable type of breach," wrote state Attorney General Kamala Harris.
Physical breaches, such as lost or stolen computers and drives, were still the dominant form of breach in healthcare, accounting for 39% of all healthcare breaches in 2015 compared to just 13% in other business sectors. The report notes that "physical breaches have declined in healthcare the past two years," from a high of 72% of all healthcare sector breaches in 2013.
But the decline in physical breaches last year was offset by an increase in malware attacks and hacking, which accounted for 21% of data breaches in healthcare in 2015 compared to just 5% in 2013. The report suggests the trend is likely to continue as the healthcare industry transitions to electronic health records and the use of wireless portable devices.
"As the transition to electronic medical records continues, the healthcare sector will increasingly face the same challenges in securing digital data that other sectors have been grappling with for several years," the report stated. "Given the extreme sensitivity of data involved in healthcare breaches, this is a challenge that the industry must meet."
But meeting that challenge won't be easy. The report notes there are multiple ways for hackers to breach computer systems, including using phishing emails that implant a virus into servers when the email is opened by the recipient. The report makes a number of recommendations that include limiting employee access to emails and closely monitoring networks for things like stolen credentials, suspicious activity, and "brute force attacks" on passwords.
State Sen. Bob Hertzberg (D-Van Nuys) on February 18 introduced Senate Bill 1137, which would make attacks using a form of malware called "ransomware" a felony with fines and jail sentences similar to extortion. The bill was drafted in reaction to a ransomware attack at Hollywood Presbyterian Medical Center in February that required hospital officials to pay a $17,000 'ransom' to regain access to its own computer system.
Healthcare providers accounted for two of the five largest breaches in California from 2012 to 2015. According to the report, the single largest breach was reported in 2015 by Anthem in an incident that exposed 10.5 million records. A breach reported by the UCLA Health System in 2015 was the fourth largest and affected nearly 4.5 million files.