Verizon cybersecurity report on protected health information breaches finds internal actors pose greatest threat
The healthcare industry is the only sector in which people inside an organization represent the biggest threat to the security of protected health information. That’s a pretty startling finding from Verizon’s latest Protected Health Information Data Breach Report.
Verizon’s dataset included incidents from its 2016 and 2017 Data Breach Investigations Reports.
Now in its third year, the study examined more than 1,360 security incidents. It found that more 57 percent of breaches were caused by people inside the healthcare organization compared with 42 percent caused by external actors.
So what motivates the people behind the internal breaches? Mostly money, not surprisingly, enabled by convenience.They can lead to tax fraud or credit card fraud since they have enough personal information to start a line of credit. Curiosity is another motive and accounts for 94 data breach cases, whether it is a family member, neighbor, or celebrity, according to the report.
A whopping 458 of breaches were unintentional errors. Whether that’s comforting or not, it really does underscore the need for training and the simple fact that not enough healthcare facilities have done an adequate job of this. But when the report boils down this category further it reveals that information incorrectly transmitted or mailed to the wrong person is the biggest source of unintentional breaches, followed by disposing of sensitive information in an insecure manner and, of course, loss.
The report also highlights the continuing threat of ransomware attacks, the largest source of malware breaches. It’s quick, requires little effort on the part of the attacker, with low risk to the criminal, and is very lucrative, according to the report.
A comparison between hospitals and physician practices in the context of PHI breaches also produces some interesting insights, particularly how they’re discovered. Misuse incidents, which are defined in the report as unapproved or malicious uses of organizational resources with a distinct motive.
defined as contrast regarding Misuse incidents for clinics versus hospitals is how they’re discovered. Incidents involving hospitals are almost equally discovered by internal methods and external parties, but clinics are close to a 3:1 ratio of external to internal. Hospitals were also 8 times more likely to discover an incident through an IT review than the other victims, the report observed.
Although breaches of connected medical devices (IoT) tend have gotten much attention, they have been less of a problem.
As the use of the IoT becomes more commonplace across the sector, establishing a proactive policy of building security into any and all implementations is vital in addressing what could be an increasing threat in the future. Focusing on resiliency and availability in IoT implementations, as well as integrity and confidentiality, is also important.
One of the conclusions reached by the report is a little puzzling:
Breaches involving electronic PHI included the publishing of sensitive data on public websites (7 percent) and misdelivery (7 percent) via email – still alarming, but much less so than those breaches associated with old-fashioned paper documents.
Say what? The downside of paper documents is that they’re not as easy to share. But as much as everyone hates the fax machine, for those who know how to work them, the advantage paper documents have over digitized data is that it takes more time to share online and would probably put off fraudsters.
The push for digitizing electronic health records in the quest for interoperbility has many compelling arguments. But one item that clearly should have been factored into the cost of EHR systems before they’re implemented is the cost of healthcare institutions to safeguard these systems both against internal and external threats and the ability to track down and identify the source of criminal behavior inside these institutions earlier. That may be an oversimplification of hospital protocols, the financial incentives of the HITECH Act and the limits of healthcare facilities’ resources, but in the process of implementing EHR systems, the security needs to reduce the internal threat to PHI haven’t received enough attention.
Image: mattjeacock, Getty Images
Join us for MedCity INVEST May 1-2, 2018, the premier national healthcare investing conference. INVEST unites over 300 active investors with corporate business development executives to facilitate investment opportunities with the most promising healthcare startups. Register now »