Stolen medical information is a prevalent problem across multiple industries, according to a new study by Verizon.
The issue is compounded because many organisations outside of the healthcare sector do not even realise they even hold this type of data.
Common sources of protected health information are employee records (including workers’ compensation claims) or information for health programs. These repositories are frequently poorly protected.
Medical data loss is not just a problem for the healthcare. According to Verizon, 90 per cent of all industries have suffered a data breach that resulted in the loss of medical data, including: retail, finance, mining and educational sectors, amongst others.
Verizon’s researchers analysed 931 incidents of confirmed protected health information breaches involving more than 392 million records. The global study covered 25 countries across North America, Europe and the Asia-Pacific region.
One in five health record breaches involved privilege misuse. Staff not infrequently abused their privileges in order snoop and look at medical records health on the same local area network or on a weakly secure database server on the corporate intranet.
Loss of unencrypted devices is a major problem for the healthcare industry itself. Around a third (31.3 per cent) of incidents where human error was involved in one way or another in data breaches were down to lost devices.
The one positive trend in this area over the last five years is that it’s taking less time for organisations to realise they have a problem. Even so only 31 per cent of incidents are found within days: 31.25 per cent took months and 18.75 per cent took years to find.
Verizon’s 2015 Protected Health Information Data Breach Report was compiled by the same team that puts together the firm's Data Breach Investigation Report, a benchmark annual study of data breaches.
The health information reports focuses on the problem of medical data loss, from how it is disclosed, to who is causing it and what can be done to combat it.
The report contains incidents contributed by organisations including the CERT Insider Threat Center; CrowdStrike, Deloitte; the Dutch National High Tech Crime Unit, Kaspersky Lab and the US Secret Service, amongst others. The study also includes the US Health and Human Services incident database and a significant number of incidents from the US Veteran’s Administration, as reported to Congress.
“Many organisations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior security analyst and lead author for the Verizon Enterprise Solutions report. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organisations and individuals. Protected Health Information is highly coveted by today’s cybercriminals,” she added.
According to recent studies reference in the report, people are withholding (sometimes critical) information from their healthcare providers because they are concerned that there could be a data breach.
“Healthcare organisations need to realise that patients trust them with their data and if that trust is broken, the implications can be huge,” Widup concluded.
The number of external and internal actors in personal health information breaches is nearly equal with just five percentage points difference, meaning there is more insider misuse than hacker action in this area than for data privacy breaks more generally. Detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud.
Differences are also evident in how the breach occurs. The primary action of attack is theft of lost portable devices (laptop, tablets, thumb drives), followed by error which can simply be sending a medical report to the wrong recipient or losing a laptop. These two, combined with a third area of employee abuse, make up 86 per cent of all breaches of personal health info data breaches, according to Verizon.
Earlier this years the FBI issued a warning to healthcare providers stating that “the healthcare” industry is not as resilient to cyber intrusions compared to the financial and retail sectors, and warning that the possibility of increased cyber intrusions is therefore “likely.”
Verizon’s report – which offers insights and recommendations on best practice in protecting health-related private data – is available here. ®