Stolen medical information is a much more widespread issue than previously thought, affecting 18 of 20 industries examined in a new report from Verizon.
The 2015 Protected Health Information (PHI) Data Breach Report resulted from an analysis of confirmed breaches involving more than 392 million records and more than 1,900 incidents across 25 countries. Common sources of PHI are employee records, including workers’ compensation claims, and/or information for wellness programs.
Gabriel Bassett, Verizon Enterprise Solutions’ senior information security data scientist and co-author of the report, tells Channel Partners that much more work is needed to ensure proper safeguarding of PHI data.
“This is an opportunity for the channel to work with their customers to deliver solutions that address this critical need across most industries,” he said. “Just because you’re not in health care doesn’t mean that you don’t need to worry about PHI data.”
Nearly half of the U.S. population has been impacted by breaches of PHI since 2009, according to the report. The FBI issued a warning to health-care providers in early 2015 stating that their industry is not as resilient to cyberattacks when compared to the financial and retail sectors.
“Many organizations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior analyst and lead author of the report. “This can lead to significant consequences impacting an individual and their family, and increasing health-care costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals.”
In PHI breaches, the number of external and internal actors is nearly equal, with just 5 percentage points difference, meaning there is a lot of insider misuse, according to the report.
Medical-record data is often taken with malicious intent, while frequently it is the personally identifiable information (PII), like credit card and social security numbers, that attackers are really after in order to facilitate financial crimes and tax fraud.
“The most surprising find is that 90 percent of industries have experienced a breach of personal health information,” Bassett said.
Differences also are evident in how the breaches occur, according to the report. The primary action of attack is theft of lost portable devices, such as laptops, tablets and thumb drives, followed by error, which can simply be sending a medical report to the wrong recipient, or losing a laptop. Third is misuse that can result from an employee who abuses his/her access to the information. These three actions make up 86 percent of all breaches of PHI data.
“It is disappointing that they are still so prevalent even though we have known how to address them for years,” Bassett said.
It can take months, if not years, to discover breaches, according to the report. For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.