In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.
We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.
Report
The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.
If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.
In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.
405(d) Health Industry Cybersecurity Practices (HICP) is a healthcare cybersecurity framework created out of a congressional mandate from the Cybersecurity Act of 2015. Section 405(d) of this mandate has a goal to strengthen the cybersecurity posture of healthcare and public health sector. A collective called the 405(d) Task Force was formed from both public and private sectors. This task force contains members of the U.S. Health and Human Services, over 200 healthcare and cybersecurity experts, and the Health Sector Coordinating Council. Their deliverable was the 405(d) Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. This framework contains 326 cybersecurity controls for organizations within the healthcare industry.
What is a Cybersecurity Framework?
A Cybersecurity framework is a collection of controls that companies can put in place to reduce the risk of a cyber-attack. An example control could be “Enable Multi-Factor Authentication (MFA) for all Remote Access”.
What Size Organizations Use 405(d) HICP?
Any size organization can use the 405(d) HICP guidance. The framework is divided into three sections: Small Organizations, Medium Organizations, and Large Organizations. The framework recommends that healthcare organizations follow the controls specific to their size. One may ask how the size of an organization is determined. The framework contains a chart for organizations to use to determine their size. This chart is shown below.
Is 405(d) HICP Only for Healthcare?
Most of the controls within 405(d) HICP can be used by organizations in any industry. However, there is one section of the framework, Section 9, which contains 25 controls for Medical Devices. This section simply would not apply to non-Healthcare industries.
How Can I Follow the 405(d) Guidance?
The 405(d) HICP Framework can be found as a detailed PDF or a basic spreadsheet on the Health and Human Services website: https://405d.hhs.gov/protect/hicp. Unfortunately, working through the PDF or spreadsheet is not ideal because it takes considerable manual effort to create graphs to show progress and program maturity. Thankfully, Stern Security has built the 405(d) framework into Velocity. Within Velocity, the 405(d) framework is easy to use, has a clean interface, contains graphs that depicts an organizations maturity, and has reports for download. Additionally, the controls for small organizations are completely FREE. Any organization can quickly sign up for a free Velocity account and start using the 405(d) HICP framework today.
Works Cited
Department of Health and Human Services. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from HHS 405(d) Aligning Health Care Industry Security Approaches: https://405d.hhs.gov/Documents/HICP-Main-508.pdf
In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.
This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.
Healthcare breaches have recently reached a grim milestone. As of June 10th, 2022, the number of Protected Health Information (PHI) records breached has reached 341,995,928. To put in prospective, this number surpasses the United States population which is at 332,759,097 (United States Census Bureau, 2022).
It must be noted that these numbers only include reported healthcare breaches containing 500 or more PHI records. Healthcare breaches under 500 records are not listed publicly. To view additional trends, please visit our healthcare executive data breach dashboard at https://www.healthcarebreaches.com/ and utilize the control panel on the left side to fine-tune your area of interest.
Works Cited
United States Census Bureau. (2022, June 10). U.S. and World Population Clock. Retrieved from United States Census Bureau: https://www.census.gov/popclock/