In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.
405(d) Health Industry Cybersecurity Practices (HICP) is a healthcare cybersecurity framework created out of a congressional mandate from the Cybersecurity Act of 2015. Section 405(d) of this mandate has a goal to strengthen the cybersecurity posture of healthcare and public health sector. A collective called the 405(d) Task Force was formed from both public and private sectors. This task force contains members of the U.S. Health and Human Services, over 200 healthcare and cybersecurity experts, and the Health Sector Coordinating Council. Their deliverable was the 405(d) Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. This framework contains 326 cybersecurity controls for organizations within the healthcare industry.
What is a Cybersecurity Framework?
A Cybersecurity framework is a collection of controls that companies can put in place to reduce the risk of a cyber-attack. An example control could be “Enable Multi-Factor Authentication (MFA) for all Remote Access”.
What Size Organizations Use 405(d) HICP?
Any size organization can use the 405(d) HICP guidance. The framework is divided into three sections: Small Organizations, Medium Organizations, and Large Organizations. The framework recommends that healthcare organizations follow the controls specific to their size. One may ask how the size of an organization is determined. The framework contains a chart for organizations to use to determine their size. This chart is shown below.
Organization sizing guide (Department of Health and Human Services)
Is 405(d) HICP Only for Healthcare?
Most of the controls within 405(d) HICP can be used by organizations in any industry. However, there is one section of the framework, Section 9, which contains 25 controls for Medical Devices. This section simply would not apply to non-Healthcare industries.
How Can I Follow the 405(d) Guidance?
The 405(d) HICP Framework can be found as a detailed PDF or a basic spreadsheet on the Health and Human Services website: https://405d.hhs.gov/protect/hicp. Unfortunately, working through the PDF or spreadsheet is not ideal because it takes considerable manual effort to create graphs to show progress and program maturity. Thankfully, Stern Security has built the 405(d) framework into Velocity. Within Velocity, the 405(d) framework is easy to use, has a clean interface, contains graphs that depicts an organizations maturity, and has reports for download. Additionally, the controls for small organizations are completely FREE. Any organization can quickly sign up for a free Velocity account and start using the 405(d) HICP framework today.
Works Cited
Department of Health and Human Services. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from HHS 405(d) Aligning Health Care Industry Security Approaches: https://405d.hhs.gov/Documents/HICP-Main-508.pdf
In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.
This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.
Healthcare breaches have recently reached a grim milestone. As of June 10th, 2022, the number of Protected Health Information (PHI) records breached has reached 341,995,928. To put in prospective, this number surpasses the United States population which is at 332,759,097 (United States Census Bureau, 2022).
As the graphs show on HealthcareBreaches.com, this startling loss of data is almost entirely due to hacking.
It must be noted that these numbers only include reported healthcare breaches containing 500 or more PHI records. Healthcare breaches under 500 records are not listed publicly. To view additional trends, please visit our healthcare executive data breach dashboard at https://www.healthcarebreaches.com/ and utilize the control panel on the left side to fine-tune your area of interest.
Works Cited
United States Census Bureau. (2022, June 10). U.S. and World Population Clock. Retrieved from United States Census Bureau: https://www.census.gov/popclock/
The hospital was struggling to manually review hundreds of vendor (business associate) solutions which was causing delays in large projects. The security team tried hiring a third-party risk management service to offload the vendor reviews, but the results were greatly inaccurate.
At the same time, the hospital was trying to measure their internal security posture using CIS, NIST CSF, and the HIPAA Security Rule through spreadsheets. The spreadsheets only provided point-in-time reviews, could not be easily shared, collaboration was difficult, and the security frameworks could not be easily updated on the spreadsheet.
To address both the vendor and internal risk measurement problems, this hospital decided to use the Velocity SaaS solution by Stern Security.
An Industry Problem
The growing risk management issues that the hospital was experiencing are common across all industries. Companies often initially try to address the vendor risk issue manually by sending spreadsheet questionnaires to vendors. However, this process incredibly time consuming. They have to manage the questionnaires, send and retrieve from vendors, review the responses, have meetings about the risks, and create reports. This process can take months to complete for a single vendor. Ideally, the customer would complete this every year for a vendor, but very few organizations have the bandwidth to accomplish anything close.
Many companies try to outsource the vendor risk management work to a service provider or purchase a product to complete the task. Unfortunately, most of the results from these solutions are inaccurate. Even fewer solutions address both internal and vendor risk.
Velocity prioritizes accuracy
After limited success with the manual approach and other products, this hospital found their ideal solution with Velocity.
Solution
Onboarding with Velocity took the hospital one hour with most of the time spent on training. The hospital quickly replaced the spreadsheet used to measure internal risk and saw immediate results. Instead of using an outdated version of the CIS framework, the hospital could use the latest version with Velocity. The hospital also received a prioritized list of items to work on to increase security posture. Additionally, when the hospital fixed an item on the list, they could see their security posture improve.
Customer employees became rockstars with Velocity
The hospital also made rapid improvements on their vendor risk management process. Instead of sending the standard security questionnaire to vendors, the hospital sent invitations from the Velocity platform and let the product do all of the work. The hospital received detailed security reports for their vendors within ¼ of the time. Hospital cybersecurity staff that was originally tasked with performing these vendor security reviews, could now spend their time on other tasks while directing more vendors through Velocity than they could ever before. Velocity greatly sped up the hospital’s vendor security review process which made the entire project evaluation process more efficient. Additionally, Velocity increased accuracy, and saved the hospital valuable funds. Velocity added such value to the hospital that they renewed their subscription the following year.
