Protected Health information (PHI) is clearly at risk and organizations are simply not doing enough to protect it, a first-ever Verizon PHI study found.
The data is not just being stolen from hospitals, discovering data breaches that lay it bare often takes years and, in many cases, patients withhold information that may be critical to their medical care because they fear that it might be exposed, according to Verizon's 2015 Protected Health Information Data Breach Report.
After studying the loss of nearly 400 million records in 1,900 incidents in 25 countries and pulled from the company's Data Breach Investigation Report (DBIR) and the Vocabulary for Event Recording and Incident Sharing (VERIS) between 1994 to 2014, Verizon found that it took months for organizations to discover 33.2 percent of the incidents and years to uncover another 18.75 percent. Fewer than one-third were discovered within days.
“Third party discovery is the most common way of finding out” about a breach, Suzanne Widup, senior security analyst and the report's lead author, told SCMagazine.com in a Monday interview.
Healthcare organizations aren't the only places leaking PHI, the global report noted. Such data has been exposed in 90 percent of the top-level industries (including retail, finance, mining and education) previously identified in Verizon's DBIRs.
“Apart from employees, many organizations collect PHI as part of doing business with their customers,” the study said. “The insurance industry is a prime example, and one where we have seen some very large data disclosures recently.”
Widup said that some organizations don't see themselves as large enough to attract attackers. “But if they have the type of data bad guys want, they're not too small,” she explained. That data can been anything from employee benefit information locked in human resources records to data held by insurance companies or collected at the point of sale in retail locations.
Exposure or loss of data occurred for a number of reasons with 85 percent of the cases studied falling into one of three incident patterns—physical theft, error and misuse.
Ambulatory healthcare services and hospitals “accounted for 94% of the incidents between them,” the study said, with ambulatory accounting for more than half of the total. That's where the bulk of physical thefts—anything from Xrays to paper records and computer equipment housing data—occurred. “Physical is a huge problem,” said Widup. “You even see it on things that don't impact patient care—like researchers' devices.”
She added that loss of unencrypted devices “still is a big problem.”
Organizations have long struggled to reduce and eliminate errors such as misplacement of an asset, misdelivery of information and improper disposal of sensitive information. And the report acknowledged that containing them usually boils down “to the need for checks along the way in processes that handle PHI.”
Privilege misuse is another challenge. People with legitimate access to systems may do “bad things,” such as snoop on medical records of celebrities or dignitaries, the report explained.
Breaches continue to have a deep impact on the healthcare industry in numerous ways. Not only is information at risk, raising the likelihood of identity theft and other cybercrime, but the quick diagnosis and treatment of diseases is also in jeopardy.
“An unwillingness to fully disclose information could delay a diagnosis of a communicable disease,” the study said.