90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches

New Verizon PHI report finds that organizations workers comp and wellness programs are also vulnerable repositories for personal health information.

Financial services companies, retailers, government agencies, take heed. Youre vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever
Verizon Protected Health Information Data Breach Report
, released yesterday.
The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States.
The data is gathered from breaches covered in the Verizon Data Breach Incident Report and in the Vocabulary for Event Recordings and Incident Sharing Community Database. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a patient by the breached organization.
Therefore, not all PHI in this report contains medical records; it might be credit card data scraped from a PoS system at a dentists office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program.
In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations. Thats going to be surprising to them too I think, says Suzanne Widup, senior consultant for the Verizon RISK team and lead author of the report.
Widup says much of this sensitive information is being volunteered by employees, and showing up in workers compensation and wellness program files. Companies need to treat that data just like any other data, says Widup, and secure it accordingly.
Yet, the majority of incidents still came from healthcare. The type of actors and threats also varied by the type of healthcare organization. The vast majority of events came from hospitals and from
ambulatory healthcare services
, which includes physicians offices, denstists offices, diagnostic labs, and a variety of other outpatient care centers.
While ambulatory services are more prone to attacks by external threat actors, hospitals are more vulnerable to insiders, both malicious and accident-prone. Hacking and malware are smaller problems in hospitals (experienced by only 7.4% and 3.4% of hospitals, respectively), but a more significant issue for ambulatory services (14.3% and 9.3%). Conversely, misuse -- like snooping on celebrity medical records, Widup suggests -- is a much bigger problem for hospitals (25.2%) than it is for ambulatory services (13.9%).
For both though, the top problems are error (22.0% for ambulatory services, 28.2% for hospitals) and physical actions, like loss or theft of unencrypted devices (38.9% for ambulatory services, 32.0% for hospitals). Does the sad physical action figure in this particular report, however, simply reflect the fact that the report covers incidents that occurred before hard-disk encryption of laptops was a standard security best practice?
God I wish it did, says Widup. Healthcare, she says, continues to lag behind when it comes to putting in encryption as a control. This is something we see consistently in healthcare year after year ... Its really kind of frustrating.
The healthcare industry is often wary of security measures that could jeopardize the availability and performance of devices, particularly when they are essential to emergency patient care. However, devices that are often lost and stolen, says Widup, are not even used in patient care. She suggests that healthcare organizations look at a subset of those devices that arent used in patient care, but might nevertheless hold medical records -- or credentials to systems that hold medical records -- and start at least locking down those systems.
On the plus side, incidence of lost/stolen devices were discovered relatively quickly. Conversely, according to the report, incidents in this dataset that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database).
The weak security of healthcare data is having far-reaching effects. The Verizon report references a
Harvard study
that found 12.3% of respondents had withheld information from a healthcare provider because of security concerns and a
study
from Dartmouth and the University of Wisconsin-Milwaukee that found 13% of respondents reported having ever withheld information from a provider because of privacy/security concerns related to EHRs.
Its pretty concerning, says Widup, when you think about the implications for public health.

Last News
▸ Black Hat 2013 highlights Home Security, Bootkits, Cell OPSEC shortcomings. ◂ Discovered: 26/12/2024 Category: security	▸ Google and DISA start User ID project. ◂ Discovered: 26/12/2024 Category: security	▸ Enhancing Security of Web Apps ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches