While the healthcare industry has the most data breaches involving protected health information (PHI), 90 percent of all industries have experienced a PHI-related data breach in the past 10 years, according to a Verizon Enterprise Solutions study report.
Also among the study findings, unencrypted lost and stolen devices, such as laptops, are a big problem in the healthcare industry, as 45 percent of PHI-related data breaches were related to lost or stolen assets. And, detecting a data breach continues to be a problem for organizations that handle PHI as the study found that 31 percent of incidences in 2014 took months for information security teams to detect. And, 18 percent of incidences took years to be detected. The study authors found that the incidents that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database).
In its Verizon Protected Health Information Data Breach Report, Verizon Enterprise Solutions analyzed 1,900 data breaches and 392 million records in order to take an in-depth look how PHI breaches happen, how long it takes to discover a breach, how PHI breaches affect the doctor-patient relationship, and how to mitigate the risks. While the oldest record in the study is from 1994, most of the data security incidents in the study occurred between 2004 and 2014.
When breaking down PHI-related data breaches by industry, the healthcare industry, unsurprisingly, had the largest number of incidences at 1,403; however, one surprising detail out of the study was that all but two of the top-level industries also had PHI-related data breaches as well. For instance, finance had 113 breaches that included PHI, educational had 51 incidences, retail had 43, professional had 35 and administrative had 21 incidences. Even manufacturing had 10 incidences and trade had 10 incidences where PHI was lost.
“That’s one of the more interesting points that comes out of this report, which is that PHI not just a healthcare industry problem, and, conversely, this report also shows that payment card industry (PCI) information is not just a retail problem,” Marc Spitler, senior analyst at Verizon Enterprise Solutions and co-author of the Verizon Protected Health Information Data Breach Report, says.
The study authors attribute the loss of PHI data in other industries to factors such as worker’s compensation claims, companies collecting health or medical information for wellness programs and collecting PHI as part of managing employee health insurance programs.
For the purposes of the study, the study authors defined PHI as personally identifiable health information collected from an individual, and covered under one of the state, federal or international data breach disclosure laws. PHI may be collected or created by a healthcare provider, health plan, employer, healthcare clearinghouse or other entity.
“The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual. In the U.S., the disclosure of this type of information would trigger a duty to report the breach under the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and one or more of the state laws,” the study authors wrote.
Also, because the purpose of the study was to focus on the most common ways PHI is disclosed, the study included records that were not only within the healthcare industry, but also records in which the data type lost was classified as “medical records” and the data subject/victim relationship was identified as “patient.”
According to the study, external “actors” were behind a large number of PHI breaches (903), yet internal “actors” were responsible for 791 incidences, followed by partners with 122 incidences.
The study also indicated that the top three Actions related to PHI incidents were Physical, which is primarily theft of devices that contain PHI or tampering with devices, Error, which includes lost devices that contain PHI or mis-delivery of medical information, such as an email containing PHI sent to the wrong person, and Misuse, which entails an internal actor misusing their access to PHI in a malicious or inappropriate way.
With regard to external threats and theft, Spitler says it’s important to be aware of the motives behind these PHI-related data breaches, which is typically to get to the personal information that’s often included in medical records, such as names and social security numbers. Even when medical records are taken with malicious intent, it is frequently the associated personally identifiable information (PII) that is targeted and used to commit various types of financial crime, including tax fraud and identity theft.
And, there are many paths that cyber attackers can use to get to PHI data, whether it’s theft, using an insider to access the data, disabling physical controls or phishing. The challenge for healthcare organizations and other organizations that handle PHI is to tailor mitigations to make it more challenging for an attacker to compromise PHI.
“No organization is completely secure, but you want to put up as many obstacles for the attacker to overcome as you can within your existing resources. The biggest challenge is that you need to stop every way an attacker can get from that first action to their final goal,” the study authors wrote. “The idea is that if you make it more difficult for the attacker to get to their ultimate goal, they’ll move along to an easier target.”