The 2015 Protected Health Information Data Breach Report by Verizon brings to light issues associated with the safeguarding of protected health information (PHI), the main causes of disclosure, and advice for organizations that handle such data.
While the data analysed in this report has a strong US bias (83%), the report should serve as a useful resource for organizations across the globe: it points to the fact that methods of attack are not location specific, with the most major cause of data breaches – human error – proving to be a global issue.
Interestingly, the report reveals that healthcare is not the only industry responsible for PHI breaches, though naturally it is most prominent. Around 20 other industries are listed, including everything from education to agriculture.
This may seem surprising, but considering the potentially high quantities of PHI stored within employee wellness or health insurance programs, for example, it’s easy to see how an organization of any kind could become a target for attackers.
Listed below are five takeaways from the report.
1. PHI data breaches are not just a healthcare issue
As highlighted above, just because an organization is not in the healthcare industry or
a HIPAA-covered entity, doesn’t mean that it’s not at risk of a PHI data breach, or consequently any less responsible for the safeguarding that information: If PHI is disclosed, many of the existing federal and state laws will require notification of a breach to any potentially affected party. Case and point, PHI is not just a healthcare issue.
2. The patient-doctor relationship is compromised by lack of trust
As reports of PHI data breaches become more frequent, the trust between patients and their medical providers appears to be diminishing. The report references an external study that suggests patients are withholding (often critical) information from their healthcare providers because of concerns over privacy. This puts the patient at risk, as well as the wider public, as holding back key information could delay the diagnosis of communicable diseases.
3. PHI is not limited to digital assets
When we think of PHI data breaches we typically think of digital attacks or lost or stolen mobile devices, however the report suggests that many PHI theft incidents involved physical documents such as paper and X-ray films. While theft of the latter is most likely associated with the recycle value, rather than the data itself, it does not make it any more excusable and will still require the organization to report the breach. The main issue here is that it is impossible to encrypt physical documents, making them extremely vulnerable to theft or loss.
4. Lost and stolen assets account for majority of PHI loss
Three key issues account for 85% of all PHI breach incidents. These are:
Lost and stolen devices (45%)
“Encryption (particularly of portable devices) offers a figurative “get out of jail free” card since the data remains secure despite the loss of control over the asset. In the vast majority of cases, this means the incident does not trigger a duty to report under most breach laws. However, in healthcare there is legitimate concern for any control that increases time to access data in an emergency situation.”
Privilege misuse (20%)
“When people who have legitimate access to the networks and systems of an organization use that access to do “bad things”—is driven by a variety of motivations. A common scenario is the “snooping employee,” and the most obvious case is curious staff members looking at medical records of a celebrity or dignitary.”
Miscellaneous errors (20%)
“Errors can be difficult for an organization to combat, and usually boil down to the need for checks along the way in processes that handle PHI. The most common errors are:
- Loss —Loss or misplacement of an asset.
- Misdelivery —Whether it is documents in the mail or electronic information in e-mail, it amounts to people getting data they weren’t supposed to.
- Disposal errors —Primarily paper documents, but also electronic devices containing sensitive information.
- Publishing errors —When private information gets posted to an Internet-facing system and then is indexed by search engines.”
5. Identifying threat patterns is crucial
Data breaches are very rarely a single point in time, but more commonly a complex chain of events. Therefore organizations must mitigate all possible paths an attacker can take, not just the direct path from point A to point B.
As the report highlights, “if you make it more difficult for the attacker to get to their ultimate goal, they’ll move along to an easier target.”
The following graph shows the 10 most common breach paths, from the initial action taken by the attacker, to the target that was successfully compromised as a result.
The point here is that by identifying the most common breach paths, organizations can tailor their security efforts more effectively – it’s all about using the resources available to stop every possible avenue of attack.
With more health history in electronic form that ever before, organizations across all industries face an uphill battle when it comes keeping PHI out of the hands (and away from the eyes) of attackers, and his report offers some great advice for those tasked with doing just that. You can read the report in full at http://www.verizonenterprise.com/resources/reports/rp_2015-protected-health-information-data-breach-report_en_xg.pdf