If you think your medical information is protected, you might want to reconsider.
It turns out that stolen medical information is a much more widespread issue than previously thought, affecting 18 out of 20 industries examined, according to the Verizon 2015 Protected Health Information Data Breach Report. These findings are part of a first-time report from Verizon’s Data Breach Investigations Report (DBIR) team that provides a detailed analysis of confirmed PHI breaches involving more than 392 million records and 1,931 incidents across 25 countries.
The focus of the study was on protected health information or PHI, which is HIPAA’s term for personally identifiable information. Due to the fact that HIPAA’s view of PHI is very expansive, broad and abstract, regulators at US Department of Health and Human Services (HHS) came up with a safe harbor list of specific identifiers — 18 in all, including IP address, biometric, facial, and medical-related. The Verizon team analyzed databases all the way back to 1994, looking for incidents where PHI from the safe harbor list was exposed.
The first interesting point Verizon makes in their report is that there’s a lot of PHI that’s being exposed, even if the target of the attack was not, in HIPAA-speak, a “covered entity”. The study’s dataset represents a comprehensive understanding of how PHI can be compromised and therefore extends beyond the “healthcare” industry. “Medical records” as a lost data type and a “patient” subject/victim relationship were also taken into consideration, which means that a unique variety of industries–including agriculture, real estate, and transportation–were examined in the analysis. This inclusion likely reflects breaches relating to worker compensation claims, wellness programs, and health insurance. In other words, somewhere in the database or scattered across the file system of the breached company, there was disassociated PHI (social security, insurance IDs, credit card numbers, email addresses) related to a healthcare transaction or program.
By far the most common means of compromise was physical (677 incidents), such as installing skimming devices on ATMs and gas pumps, followed by error (524), misuse (362), hacking (215), malware (110), and social (50). All of these malicious actions compromised at least one of the following types of information: PHI, payment or payment card industry (PCI) information, personal or personally identifiable information (PII), and credentials. Further investigation revealed, however, that high-bulk credential breaches were an exception. In most cases, credentials were individually exposed by a phishing email or keylogger and subsequently abused as a gateway to other types of information, which were predominantly stolen by the thousands out of databases.
Overall, the analysts found that approximately half (903) of the incidents in their dataset were caused by external actors. But with 791 incidents attributable to internal actors, it is clear that the insider threat is still a serious concern to organizations.
“Many organizations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals.”
Given the number of industries and records compromised in the report’s dataset, it is no wonder that patients are withholding information from their providers out of the fear of a data breach. As Sara Peters of Dark Reading writes, a Harvard study found that 12.3% of respondents had withheld information from a healthcare provider because of security concerns, whereas a study from Dartmouth and the University of Wisconsin-Milwaukee found that 13% of respondents reported having withheld information due to privacy/security concerns. This could not only erode the trust between medical providers and their patients, but also cause catastrophic public health issues.
Furthermore, organizations that fail to make information security a priority, risk losing $300 billion of cumulative lifetime revenue, damages which in part reflect that one in 13 patients in the United States will have their medical and/or personal information compromised over the next 3-4 years. If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.
While there is no one “perfect” method of preventing future breaches from occurring, organizations can mitigate against these by implementing encryption and security controls on laptops/mobile devices, designing training programs that emphasize how malicious insiders end up serving jail time, and creating quick and efficient reporting mechanisms for all employees should they commit a “human” error.
Let’s hope that the 2016 Verizon DBIR report turns out to be slightly more positive.