Analytics
12/17/2015
02:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches

New Verizon PHI report finds that organizations' workers comp and wellness programs are also vulnerable repositories for personal health information.

Financial services companies, retailers, government agencies, take heed. You're vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report, released yesterday.

The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States.

The data is gathered from breaches covered in the Verizon Data Breach Incident Report and in the Vocabulary for Event Recordings and Incident Sharing Community Database. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a "patient" by the breached organization.

Therefore, not all "PHI" in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist's office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program.

In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations. "That's going to be surprising to them too I think," says Suzanne Widup, senior consultant for the Verizon RISK team and lead author of the report.

Widup says much of this sensitive information is being volunteered by employees, and showing up in  worker's compensation and wellness program files. Companies "need to treat that data just like any other data," says Widup, and secure it accordingly.

Yet, the majority of incidents still came from healthcare. The type of actors and threats also varied by the type of healthcare organization. The vast majority of events came from hospitals and from "ambulatory healthcare services," which includes physician's offices, denstist's offices, diagnostic labs, and a variety of other outpatient care centers.

While ambulatory services are more prone to attacks by external threat actors, hospitals are more vulnerable to insiders, both malicious and accident-prone. Hacking and malware are smaller problems in hospitals (experienced by only 7.4% and 3.4% of hospitals, respectively), but a more significant issue for ambulatory services (14.3% and 9.3%). Conversely, misuse -- like snooping on celebrity medical records, Widup suggests -- is a much bigger problem for hospitals (25.2%) than it is for ambulatory services (13.9%).

For both though, the top problems are "error" (22.0% for ambulatory services, 28.2% for hospitals) and "physical actions," like loss or theft of unencrypted devices (38.9% for ambulatory services, 32.0% for hospitals). Does the sad "physical action" figure in this particular report, however, simply reflect the fact that the report covers incidents that occurred before hard-disk encryption of laptops was a standard security best practice?

"God I wish it did," says Widup. Healthcare, she says, continues to lag behind when it comes to putting in encryption as a control. "This is something we see consistently in healthcare year after year ... It's really kind of frustrating."

The healthcare industry is often wary of security measures that could jeopardize the availability and performance of devices, particularly when they are essential to emergency patient care. However, devices that are often lost and stolen, says Widup, are not even used in patient care. She suggests that healthcare organizations look at a subset of those devices that aren't used in patient care, but might nevertheless hold medical records -- or credentials to systems that hold medical records -- and start at least locking down those systems.

On the plus side, incidence of lost/stolen devices were discovered relatively quickly. Conversely, according to the report, "incidents in this dataset that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database)."

The weak security of healthcare data is having far-reaching effects. The Verizon report references a Harvard study that found 12.3% of respondents had withheld information from a healthcare provider because of security concerns and a study from Dartmouth and the University of Wisconsin-Milwaukee that found 13% of respondents reported having ever withheld information from a provider because of privacy/security concerns related to EHRs.

"It's pretty concerning," says Widup, "when you think about the implications for public health."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.