While the healthcare industry has the most data breaches involving protected health information (PHI), 90 percent of all industries have experienced a PHI-related data breach in the past 10 years, according to a Verizon Enterprise Solutions study report.
Also among the study findings, unencrypted lost and stolen devices, such as laptops, are a big problem in the healthcare industry, as 45 percent of PHI-related data breaches were related to lost or stolen assets. And, detecting a data breach continues to be a problem for organizations that handle PHI as the study found that 31 percent of incidences in 2014 took months for information security teams to detect. And, 18 percent of incidences took years to be detected. The study authors found that the incidents that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database).
In its Verizon Protected Health Information Data Breach Report, Verizon Enterprise Solutions analyzed 1,900 data breaches and 392 million records in order to take an in-depth look how PHI breaches happen, how long it takes to discover a breach, how PHI breaches affect the doctor-patient relationship, and how to mitigate the risks. While the oldest record in the study is from 1994, most of the data security incidents in the study occurred between 2004 and 2014.
When breaking down PHI-related data breaches by industry, the healthcare industry, unsurprisingly, had the largest number of incidences at 1,403; however, one surprising detail out of the study was that all but two of the top-level industries also had PHI-related data breaches as well. For instance, finance had 113 breaches that included PHI, educational had 51 incidences, retail had 43, professional had 35 and administrative had 21 incidences. Even manufacturing had 10 incidences and trade had 10 incidences where PHI was lost.
“That’s one of the more interesting points that comes out of this report, which is that PHI not just a healthcare industry problem, and, conversely, this report also shows that payment card industry (PCI) information is not just a retail problem,” Marc Spitler, senior analyst at Verizon Enterprise Solutions and co-author of the Verizon Protected Health Information Data Breach Report, says.
The study authors attribute the loss of PHI data in other industries to factors such as worker’s compensation claims, companies collecting health or medical information for wellness programs and collecting PHI as part of managing employee health insurance programs.
For the purposes of the study, the study authors defined PHI as personally identifiable health information collected from an individual, and covered under one of the state, federal or international data breach disclosure laws. PHI may be collected or created by a healthcare provider, health plan, employer, healthcare clearinghouse or other entity.
“The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual. In the U.S., the disclosure of this type of information would trigger a duty to report the breach under the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and one or more of the state laws,” the study authors wrote.
Also, because the purpose of the study was to focus on the most common ways PHI is disclosed, the study included records that were not only within the healthcare industry, but also records in which the data type lost was classified as “medical records” and the data subject/victim relationship was identified as “patient.”
According to the study, external “actors” were behind a large number of PHI breaches (903), yet internal “actors” were responsible for 791 incidences, followed by partners with 122 incidences.
The study also indicated that the top three Actions related to PHI incidents were Physical, which is primarily theft of devices that contain PHI or tampering with devices, Error, which includes lost devices that contain PHI or mis-delivery of medical information, such as an email containing PHI sent to the wrong person, and Misuse, which entails an internal actor misusing their access to PHI in a malicious or inappropriate way.
With regard to external threats and theft, Spitler says it’s important to be aware of the motives behind these PHI-related data breaches, which is typically to get to the personal information that’s often included in medical records, such as names and social security numbers. Even when medical records are taken with malicious intent, it is frequently the associated personally identifiable information (PII) that is targeted and used to commit various types of financial crime, including tax fraud and identity theft.
And, there are many paths that cyber attackers can use to get to PHI data, whether it’s theft, using an insider to access the data, disabling physical controls or phishing. The challenge for healthcare organizations and other organizations that handle PHI is to tailor mitigations to make it more challenging for an attacker to compromise PHI.
“No organization is completely secure, but you want to put up as many obstacles for the attacker to overcome as you can within your existing resources. The biggest challenge is that you need to stop every way an attacker can get from that first action to their final goal,” the study authors wrote. “The idea is that if you make it more difficult for the attacker to get to their ultimate goal, they’ll move along to an easier target.”
When analyzing incident patterns, the study also found that almost half of the PHI-related data breaches (45 percent) involved lost or stolen assets, such as laptops or devices.
“It is frustrating to see this category return year after year because it’s one of the more easily solved problems,” the study authors wrote.
Spitler points out that encryption, particularly on portable devices not directly used for patient care, would significantly reduce the risk of a data breach even if a device is lost or stolen.
“You can completely prevent loss or stolen assets, but what you can do is lessen the impact and encryption on mobile devices is a no-brainer as it would limit the loss of the company to the physical asset itself,” Spitler says. “Full disk encryption is not really a bleeding edge technology, and it’s not an overly expensive technology. There’s even a lot of onboard ability on these operating systems now to provide that level of encryption.”
The study authors state that even if organizations only encrypt a subset of their portable assets, it will reduce the overall risk of a breach on those assets that are not directly used for patient care
The study also found that 85 percent of the PHI-related data security incidents included in the study could be described by three incident patterns -- lost and stolen assets, privilege misuse and miscellaneous errors.
With regard to privilege misuse, Spitler encourages healthcare organizations to track user access as it relates to PHI data.
“Make sure that you are able to attribute access to a particular person, so everybody should have an account that is specific to them so there is no sharing of passwords,” he says. Employee security awareness programs should include sanitized results of audits that catch people abusing their access as well as educating employees that abusing their access in collusion with an external entity for financial gain could result in criminal charges.
In addition to reporting PHI data breaches to HIPAA and any potential HIPAA security violations, one consequence of data breaches is the impact on the doctor-patient relationship.
“Recent studies have found that people are withholding information—sometimes critical information—from their healthcare providers because they are concerned that there could be a confidentiality breach of their records. This is not only a potential issue for the treatment of a specific patient; there are potential public health implications. An unwillingness to fully disclose information could delay a diagnosis of a communicable disease,” the study authors wrote.
According to the study authors, just by examining the U.S. Department of Health and Human Services data alone, PHI for half of the population of the United States has been impacted by breaches since 2009. At the same time, public and private healthcare providers are adopting electronic medical records (EMRs), which mean more medical information is now in electronic form. And, the FBI has issued a warning that the possibility of increased cyber intrusions in the healthcare industry is likely.
There is some good news, according to the study authors, which is that organizations with PHI are detecting incidents faster and are closing the detection deficit, or the time between when data is compromised to time when the breach is detected.
The study authors concluded that healthcare organizations need to “assess processes, procedures and technologies that affect the security of these patient records.”