Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

12/17/2015
02:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches

New Verizon PHI report finds that organizations' workers comp and wellness programs are also vulnerable repositories for personal health information.

Financial services companies, retailers, government agencies, take heed. You're vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report, released yesterday.

The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States.

The data is gathered from breaches covered in the Verizon Data Breach Incident Report and in the Vocabulary for Event Recordings and Incident Sharing Community Database. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a "patient" by the breached organization.

Therefore, not all "PHI" in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist's office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program.

In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations. "That's going to be surprising to them too I think," says Suzanne Widup, senior consultant for the Verizon RISK team and lead author of the report.

Widup says much of this sensitive information is being volunteered by employees, and showing up in  worker's compensation and wellness program files. Companies "need to treat that data just like any other data," says Widup, and secure it accordingly.

Yet, the majority of incidents still came from healthcare. The type of actors and threats also varied by the type of healthcare organization. The vast majority of events came from hospitals and from "ambulatory healthcare services," which includes physician's offices, denstist's offices, diagnostic labs, and a variety of other outpatient care centers.

While ambulatory services are more prone to attacks by external threat actors, hospitals are more vulnerable to insiders, both malicious and accident-prone. Hacking and malware are smaller problems in hospitals (experienced by only 7.4% and 3.4% of hospitals, respectively), but a more significant issue for ambulatory services (14.3% and 9.3%). Conversely, misuse -- like snooping on celebrity medical records, Widup suggests -- is a much bigger problem for hospitals (25.2%) than it is for ambulatory services (13.9%).

For both though, the top problems are "error" (22.0% for ambulatory services, 28.2% for hospitals) and "physical actions," like loss or theft of unencrypted devices (38.9% for ambulatory services, 32.0% for hospitals). Does the sad "physical action" figure in this particular report, however, simply reflect the fact that the report covers incidents that occurred before hard-disk encryption of laptops was a standard security best practice?

"God I wish it did," says Widup. Healthcare, she says, continues to lag behind when it comes to putting in encryption as a control. "This is something we see consistently in healthcare year after year ... It's really kind of frustrating."

The healthcare industry is often wary of security measures that could jeopardize the availability and performance of devices, particularly when they are essential to emergency patient care. However, devices that are often lost and stolen, says Widup, are not even used in patient care. She suggests that healthcare organizations look at a subset of those devices that aren't used in patient care, but might nevertheless hold medical records -- or credentials to systems that hold medical records -- and start at least locking down those systems.

On the plus side, incidence of lost/stolen devices were discovered relatively quickly. Conversely, according to the report, "incidents in this dataset that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database)."

The weak security of healthcare data is having far-reaching effects. The Verizon report references a Harvard study that found 12.3% of respondents had withheld information from a healthcare provider because of security concerns and a study from Dartmouth and the University of Wisconsin-Milwaukee that found 13% of respondents reported having ever withheld information from a provider because of privacy/security concerns related to EHRs.

"It's pretty concerning," says Widup, "when you think about the implications for public health."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.