Almost 60 percent of data breach incidents involving protected health information (PHI) involved insiders, which makes healthcare the only industry in which internal actors are the biggest threat to an organization’s data security, according to a recent Verizon security report.
In Verizon’s 2018 Protected Health Information Data Breach Report, researchers analyzed 1,368 security incidents across 27 countries, with a focus on the healthcare sector’s specific profile and security challenges, including the levels of abuse of this protected information. The report specifically focused on incidents within healthcare in which the data type disclosed or at risk was medical records, and patients were the data subject victim. Almost three-quarters of the incidents included in the report analysis were in the U.S.
Through this analysis, researchers found that more than half (58 percent) of incidents involve insiders. Focusing on incidents where data was either confirmed as disclosed or was at risk, internal actors are more common than external—which is unique to the healthcare industry. Forty-two percent of incidents involve external actors, 5.9 percent involve partner entities and 5.1 percent of incidents were attributed to collusion.
What’s more, the report authors note that often internal actors are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent).
The study also found that 27 percent of incidents were related to sensitive data on paper. This correlates with a recent study published in the American Journal of Managed Care that found despite the high level of hospital adoption of electronic health record (EHR) systems, paper and films were the most frequent location of breached data.
“While modernization of record storage and data flows bring a new threat landscape to the forefront, the amount of data breaches associated with old-fashioned paper documents is eye opening,” the study authors wrote.
The report authors also wrote, “Medical device hacking may be in the news, but it seems the real criminal activity is found by following the paper trail. Whether prescription information sent from clinics to pharmacies, billing statements issued by mail, discharge papers physically handed to patients, or filed copies of ID and insurance cards, printed documents are more prevalent in the healthcare sector than any other. The very nature of how PHI paperwork is handled and transferred by medical staff has led to preventable weaknesses—sensitive data being misdelivered (20 percent), thrown away without shredding (15 percent), and even lost (8 percent).”
Within the threat action category of “misuse,” half of all those incidents are to privilege abuse.
According to the study, 21 percent of PHI breach incidents involved lost and stolen laptops containing unencrypted PHI. More employee education is required to ensure that basic security measures are implemented, the report authors note.
Ransomware continues to be a threat as well, as 70 percent of incidents involving malicious code within the healthcare sector were ransomware infections. This mirrors the ongoing use of ransomware across all business sectors.
The report also looks at threat action categories and finds that 34 percent of incidents fall within the category of error, and 30 percent of incidents are categorized as misuse. Sixteen percent of threat actions were physical, 15 percent were hacking, 11 percent were malware and 8 percent was a social engineering attack.
The report authors contend that in order to reduce these breach incidents of protected health information, healthcare organizations must focus on long-term and short-term improvements to directly address some of the common security challenges flagged by these findings.
The report authors note that full disk encryption (FDE) can provide an effective and relatively low-cost method of keeping sensitive data out of the hands of criminals. In addition, the report recommends routine monitoring of record access. “Policies and procedures should be in place to mandate monitoring of internal PHI access. All employees should be aware, via security training and warning banners, that if they view any patient data without a legitimate business need there is potential for corrective actions,” the report states.
And, the report recommends building resiliency to combat ransomware attacks. “Preventive controls for defending against malware installation are key, as is minimizing the impact that ransomware could have against a network. Do not allow end-user devices to propagate and spread ransomware to critical assets, and do not use devices with high availability requirements to surf the Internet or receive external email,” the report states.
The report also outlines a number of long-term security measures that should be implemented.
Healthcare organizations need to focus on securing electronic PHI (ePHI). According to the study, breaches involving ePHI included the publishing of sensitive data on public websites (7 percent) and misdelivery (7 percent) via email – “still alarming, but much less so than those breaches associated with old-fashioned paper documents,” the study states.
Organizations should work towards a reduction of paper-based PHI in their environments, and establish a holistic risk management program that protects not only ePHI, but also other sensitive data that they store and process, the report states.
“We also need to recognize that overly strict restrictions in access to patient information has the potential to impact a healthcare professional’s ability to make timely and proper point-of-care decisions - but there are still improvements that can be made. For example, a comprehensive review and ongoing audits of access rights to sensitive data would ensure ease of access to front-line medical providers, yet reduce unnecessary access elsewhere,” the report authors wrote.
What’s more, the use of the Internet of Things (IoT) is becoming more commonplace across the sector, so it’s critical for healthcare organizations to establish a proactive policy of building security into any and all implementations. This is vital in addressing what could be an increasing threat in the future, the report states. Focusing on resiliency and availability in IoT implementations, as well as integrity and confidentiality, is also important.
“Having an overall incident response plan ready to go should a cyberattack occur will also enable quicker reactions, and can often make a difference to the level of impact an incident has on an organization. Testing those plans using table top exercises to discover gaps is critical before an incident occurs, as well as holding post mortem reviews after the fact to capture lessons learned,” the report states.
