Financial services companies, retailers, government agencies, take heed. You're vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report, released yesterday.
The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States.
The data is gathered from breaches covered in the Verizon Data Breach Incident Report and in the Vocabulary for Event Recordings and Incident Sharing Community Database. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a "patient" by the breached organization.
Therefore, not all "PHI" in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist's office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program.
In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations. "That's going to be surprising to them too I think," says Suzanne Widup, senior consultant for the Verizon RISK team and lead author of the report.
Widup says much of this sensitive information is being volunteered by employees, and showing up in worker's compensation and wellness program files. Companies "need to treat that data just like any other data," says Widup, and secure it accordingly.
Yet, the majority of incidents still came from healthcare. The type of actors and threats also varied by the type of healthcare organization. The vast majority of events came from hospitals and from "ambulatory healthcare services," which includes physician's offices, denstist's offices, diagnostic labs, and a variety of other outpatient care centers.
While ambulatory services are more prone to attacks by external threat actors, hospitals are more vulnerable to insiders, both malicious and accident-prone. Hacking and malware are smaller problems in hospitals (experienced by only 7.4% and 3.4% of hospitals, respectively), but a more significant issue for ambulatory services (14.3% and 9.3%). Conversely, misuse -- like snooping on celebrity medical records, Widup suggests -- is a much bigger problem for hospitals (25.2%) than it is for ambulatory services (13.9%).
For both though, the top problems are "error" (22.0% for ambulatory services, 28.2% for hospitals) and "physical actions," like loss or theft of unencrypted devices (38.9% for ambulatory services, 32.0% for hospitals). Does the sad "physical action" figure in this particular report, however, simply reflect the fact that the report covers incidents that occurred before hard-disk encryption of laptops was a standard security best practice?
"God I wish it did," says Widup. Healthcare, she says, continues to lag behind when it comes to putting in encryption as a control. "This is something we see consistently in healthcare year after year ... It's really kind of frustrating."
The healthcare industry is often wary of security measures that could jeopardize the availability and performance of devices, particularly when they are essential to emergency patient care. However, devices that are often lost and stolen, says Widup, are not even used in patient care. She suggests that healthcare organizations look at a subset of those devices that aren't used in patient care, but might nevertheless hold medical records -- or credentials to systems that hold medical records -- and start at least locking down those systems.
On the plus side, incidence of lost/stolen devices were discovered relatively quickly. Conversely, according to the report, "incidents in this dataset that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database)."
The weak security of healthcare data is having far-reaching effects. The Verizon report references a Harvard study that found 12.3% of respondents had withheld information from a healthcare provider because of security concerns and a study from Dartmouth and the University of Wisconsin-Milwaukee that found 13% of respondents reported having ever withheld information from a provider because of privacy/security concerns related to EHRs.
"It's pretty concerning," says Widup, "when you think about the implications for public health."