Verizon’s annual Protected Health Information Breach Report is out. The report revealed the result of analyzing 1,368 healthcare data breaches that exposed (not necessary compromised) protected health information (PHI). The breach data came from 27 countries with about 75% of the breached entities coming from the United States.
The biggest security threat in the healthcare industry is the insiders, which caused 58% of all breaches. External actors only caused 42% of all breaches. 48% of insiders stole PHI for financial gain. The stolen information was used for committing identity theft, tax fraud, credit card fraud and insurance fraud. 31% just did it for curiosity or fun; 10% got easy access to data; 3% did it because of grudge and another 3% did it for espionage. As for external attacks, the actors did it for extortion and selling stolen data.
Verizon also studied what actions led to the data breaches. The first breach category, which made up 33.5% of the data breaches was errors, such as misdelivery of mailings/emails, publishing errors, error disposing PHI, misconfigurations, loss of PHI, data entry errors and programming mistakes. 20% of errors was because of misdelivery.
The second breach category, which made up 29.5% of the data breaches was misuse. 66% of misuse incidents was because of accessing records without authorization. 21.6% was because of data mishandling and 16.9% was because of misuse of access to physical records.
The physical category, which made up 16.3% of all data breaches, involved theft of records and devices, tampering, snooping, surveillance and disabled controls. 95.2% of the incidents in this category was due to theft of laptops. 47% of the laptops thefts involved stolen devices from employees’ vehicles. Encrypting the devices would have significantly reduced the exposure of PHI.
Hacking made a lot of noise but it really caused only 14.8% of healthcare data breaches. Hacking incidents involved 49.3% of the stolen incidents using stolen credentials. Stolen credentials happened through phishing attacks, brute force attacks (20.9%), use of backdoors (17.9%) and malware (10.8%), particularly ransomware, attacks.
Social attacks made up 8% of all health data breaches. It included attacks on employees. 69.9% involved phishing, 11.7% involved pretexting or sending email using an accessed email account during a phishing attack, and 7.8% were due to bribery.
There were three suggestions that Verizon offered to reduce PHI data breach incidents
- Full disk encryption – this should be used on all portable electronic devices so that PHI files won’t be accessed even if the unit is lost or stolen
- Medical record access monitoring – this is already required by HIPAA. It does not prevent breaches but it could reduce the severity of insider attacks, theft and unauthorized access.
- Implement solutions that fight malware and ransomware – Spam filters and web filters can reduce these types of incident. It could also help if laptops with large quantities of PHI will not be allowed to connect to the internet.