Nearly 1 in 5 health data breaches take years to spot, says Verizon

And 90 per cent of all industries have lost people's sensitive med info

Stolen medical information is a prevalent problem across multiple industries, according to a new study by Verizon.

The issue is compounded because many organisations outside of the healthcare sector do not even realise they even hold this type of data.

Common sources of protected health information are employee records (including workers’ compensation claims) or information for health programs. These repositories are frequently poorly protected.

Medical data loss is not just a problem for the healthcare. According to Verizon, 90 per cent of all industries have suffered a data breach that resulted in the loss of medical data, including: retail, finance, mining and educational sectors, amongst others.

Verizon’s researchers analysed 931 incidents of confirmed protected health information breaches involving more than 392 million records. The global study covered 25 countries across North America, Europe and the Asia-Pacific region.

One in five health record breaches involved privilege misuse. Staff not infrequently abused their privileges in order snoop and look at medical records health on the same local area network or on a weakly secure database server on the corporate intranet.

Loss of unencrypted devices is a major problem for the healthcare industry itself. Around a third (31.3 per cent) of incidents where human error was involved in one way or another in data breaches were down to lost devices.

The one positive trend in this area over the last five years is that it’s taking less time for organisations to realise they have a problem. Even so only 31 per cent of incidents are found within days: 31.25 per cent took months and 18.75 per cent took years to find.

Verizon’s 2015 Protected Health Information Data Breach Report was compiled by the same team that puts together the firm's Data Breach Investigation Report, a benchmark annual study of data breaches.

The health information reports focuses on the problem of medical data loss, from how it is disclosed, to who is causing it and what can be done to combat it.

The report contains incidents contributed by organisations including the CERT Insider Threat Center; CrowdStrike, Deloitte; the Dutch National High Tech Crime Unit, Kaspersky Lab and the US Secret Service, amongst others. The study also includes the US Health and Human Services incident database and a significant number of incidents from the US Veteran’s Administration, as reported to Congress.

“Many organisations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior security analyst and lead author for the Verizon Enterprise Solutions report. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organisations and individuals. Protected Health Information is highly coveted by today’s cybercriminals,” she added.

According to recent studies reference in the report, people are withholding (sometimes critical) information from their healthcare providers because they are concerned that there could be a data breach.

“Healthcare organisations need to realise that patients trust them with their data and if that trust is broken, the implications can be huge,” Widup concluded.

The number of external and internal actors in personal health information breaches is nearly equal with just five percentage points difference, meaning there is more insider misuse than hacker action in this area than for data privacy breaks more generally. Detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud.

Differences are also evident in how the breach occurs. The primary action of attack is theft of lost portable devices (laptop, tablets, thumb drives), followed by error which can simply be sending a medical report to the wrong recipient or losing a laptop. These two, combined with a third area of employee abuse, make up 86 per cent of all breaches of personal health info data breaches, according to Verizon.

Earlier this years the FBI issued a warning to healthcare providers stating that “the healthcare” industry is not as resilient to cyber intrusions compared to the financial and retail sectors, and warning that the possibility of increased cyber intrusions is therefore “likely.”

Verizon’s report – which offers insights and recommendations on best practice in protecting health-related private data – is available here. ®

Broader topics

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022