Bitglass analyzed three years worth of HHS breach records for its report.
Bitglass analyzed three years worth of HHS breach records for its report.

After analyzing three years worth of breach records available through the Department of Health and Human Services (HHS), a security firm found that nearly 70 percent of incidents since 2010 were caused by loss or theft of devices and files.

While 68 percent of breaches over the three-year period were attributed to protected health information (PHI) “gone missing,” only 23 percent of breaches were linked to hacking, said the report, released Tuesday by Bitglass.

According to the study (PDF) called, “The 2014 Bitglass Healthcare Breach Report,” the “overwhelming majority” of healthcare breaches share a common denominator: “inadequate security around devices (or paper) containing PHI,” the report said.

The study later added that organizations should “beware of hackers – but pay even closer attention to that employee packing up for the weekend, or taking his/her laptop out the door to his/her car.”

Citing an 2013 EMC report (PDF), Bitglass noted that the value of stolen health records on the black market far outweighs that of credit card information, and that criminals can “continue using or selling the [PHI] even after the victim knows it's been compromised,” as opposed to credit card information, for instance, that can be quickly devalued by canceling a card.

A health record is sold on average for $50 on the black market, while a stolen Social Security number usually fetches a $1, the report said.

Bitglass CEO Nat Kausik told SCMagazine.com in a Wednesday interview that securing PHI on mobile devices becomes increasingly difficult since healthcare workers (such as physicians) may work for multiple hospitals or healthcare organizations, and are less likely to take advantage of security technology that may lead to “some sort of restriction on the device” as users manage varying email applications, for instance, for different organizations.  

“If you want to secure a device, mobile device management software, for instance, can only be installed from one organization on any given device,” he said of some limitations.

The report suggested that organizations employ solutions that “dynamically detect and redact PHI as data flows to BYOD clients.”

Healthcare entities can also take additional measures, like placing digital watermarks on sensitive information in order to track sensitive data, and using single sign-on (SSO) technology throughout the organization, the study said. Lastly, the report advised that “any security solution should deploy and scale easily, and with minimal administrative overhead."