Healthcare Leaks Not Just For Healthcare Providers
A report from Verizon finds that leaks of protected health information are epidemic, as more, different types of organizations are called on to track and store health data.
Healthcare data breaches aren’t just for the healthcare industry anymore.
That’s the unavoidable conclusion of a new report out from Verizon this week that surveys leaks of protected health information (PHI) by industry. While the healthcare industry was, by far, the biggest source of healthcare data leaks, it was just one of 18 industries linked to reportable leaks of patient information, including retail, finance and the public sector.
“The fact that an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of a PHI data breach,” the report concluded, referring to the Health Insurance Portability and Accountability Act of 1996, which regulates the handling of patient health information.
Verizon’s 2015 Protected Health Information Data Breach Report made a study of protected health information (PHI) and “the many ways it can be disclosed.” The company studied close to 2,000 incidents from the Data Breach Investigation Report (DBIR) and the Vocabulary for Event Recording and Incident Sharing (VERIS) Community Database (VCDB). In all, the incidents comprised more than 392 million exposed records from 25 countries – though most incidents reported were in the U.S.
Rather than just analyzing incidents linked to the “healthcare” industry, the company broadened its analysis to also look for incidents where the data type that was lost was categorized as “medical records” or in which the victim was described as a “patient.” In addition, incidents where data was described as “at risk” were included – meaning occasions where a potential exposure of data, but not confirmed breach, was identified.
Companies come to store employee and customer health data through a variety of means, Verizon notes. Company-sponsored wellness programs might result in the collection of health information for employees. So, too, disability and other insurance claims.
Even in companies that are not “HIPAA covered entities” may be bound to report the theft or loss of data by other laws, including state-level data privacy laws or industry regulations like the Payment Card Industry Data Security Standard (PCI DSS).
The Verizon survey identified three major categories of incident: physical theft, error (for example: loss of a laptop) and misuse of data, accounting for more than 1,500 of the 1,900 studied incidents. Also noted as sources of health information breaches were hacking, the use of malicious software and social-based attacks (aka “social engineering”).
The loss of medical records and personally identifiable information (PII) seems to correlate with larger breaches in the studied incidents, Verizon found. Medical record and PII losses were far more likely to be described in the thousands or greater. That may be due to the fact that theft of this data is often the result of a compromise of database servers where such data is collected and stored in bulk.
In general, healthcare breaches were more likely to be linked to the theft of assets, such as laptops, than in other industries – such as retail – where compromises of point of sale and other systems were more common.
The danger, going forward, is that patients may become wary of sharing health data for any purpose if they fear that doing so will expose them to risk of identity theft. Verizon encourages firms that are storing health information to take simple steps to make their networks and data more secure. Given commonplace breaches linked to device theft, healthcare organizations still have room to improve in using encryption to secure data at rest on these devices. More strict and consistent management of user credentials can also prevent incidents of “snooping” and employee abuse.
Still, there’s reason for optimism in the Verizon report: the time taken to notice security incidents is shrinking from months to days compared to four or five years ago. For example: 45 percent of incidents involving the loss of personal health information took “years” to discover in 2011. In 2014, just 19% took “years” to discover, while 31% took “days,” Verizon said.
In addition, regulators are doing a better job of noting and responding to breaches of patient health privacy laws, levying fines on hospitals and over covered entities for failing to protect PHI.