Stolen medical information is an issue that affects 18 out of 20 industries, making the problem more widespread than previously believed, Verizon’s 2015 Protected Health Information Data Breach Report reveals.
According to the recently-released study, most organizations outside of the health sector don’t even know they hold this type of data, which includes protected health information such as employee records (including workers’ compensation claims) and information for wellness programs. After the healthcare sector, breaches of Protected Health Information (PHI) occur most often in the public, financial, retail, and educational industries.
Verizon notes that when it comes to PHI breaches, there are numerous differences compared to other DBIR data sets. One example refers to the number of external and internal actors involved in such incidents, which is nearly equal, the difference between them being of only 5 percentage points, underlining the fact that the internal threat is alive and well, albeit some incidents might be accidental.
The report revealed that medical record data is often accessed with malicious intent, though attackers are usually going after personable identifiable information (PII) such as credit card and social security numbers. Cybercriminals can use this type of data to engage into financial crimes and tax fraud, yet they often also steal diagnosis information, lab results, treatment plans, and credentials.
Breaches can occur in multiple manners, but the top three most frequent ones making up 86 percent of all incidents. The most frequent (45.4 percent) is the theft or loss of portable devices such as laptops, tablets, and thumb drives; the second (20.3 percent) is misuse, where an employee can abuse their access to the patient information, while the third is error (20.1 percent), which can involve sending a medical report to the wrong recipient or losing a laptop.
When it comes to the time required to discover PHI breaches, Verizon has discovered that 33.2 percent of incidents can go undetected for months, while 18.75 percent are not discovered for years. Breaches in the latter category proved to be three times more likely to be caused by an insider abusing LAN access privileges and twice as likely to be targeting a server, particularly a database.
The report also cites studies pointing out to the fact that many people are withholding information from the healthcare providers because they fear data breaches. The unwillingness to fully disclose information could delay a diagnosis of a communicable disease, especially if that disease has attached social stigma.
Verizon says that nearly half of the population of the Unites States has been affected by breaches of PHI since 2009. Earlier this year, FBI warned healthcare providers that the industry is not as resilient to cyber intrusions compared to the financial and retail sectors, meaning that increased cyber intrusions are likely to affect organizations in this sector.
Verizon’s Data Breach Investigations Report (DBIR) is based on data involving confirmed PHI breaches in 1,931 incidents across 25 countries. These incidents resulted in over 392 million records being disclosed, yet 24 percent of the involved organizations did not provide a finite number of records involved. 87 percent of the exposed data is from the U.S., since the U.S. Department of Health and Human Services (HHS) incidents were included in the report as well.
“Many organizations are not doing enough to protect this highly sensitive and confidential data. This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals,” Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report, said.
The debate around the security of healthcare data has intensified as organizations in the sector have seen a rise in security incidents, with 48 percent in a study admitting in April that their organization either failed a compliance audit or experienced a data breach in the last year. Mid-year, Trend Micro revealed that the Stegoloader Trojan hit companies in the healthcare industry the most, while a Ponemon Institute report found that the cost of data breaches is higher in healthcare over other sectors.
