The telecommunications company Verizon has released its annual Protected Health Information Breach Report. This report offers a detailed analysis into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.
In compiling the report, analysts at Verizon studied1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. In order to obtain a comprehensive look at the nature of data breaches, the study collected breach reports from 27 countries, although three quarters of the breached entities were based in the United States. This is largely due to the stricter requirements under United States law for reporting incidents in which PHI may be compromised.
The report revealed some surprising information about the nature of PHI breaches in the healthcare industry. In contrast to all other industry sectors investigated, the healthcare industry is unique as the biggest security threat comes from those who work within the sector. So-called “insiders” were found to be responsible for almost 58% of all breaches. External actors were responsible for the remaining 42% of incidents.
As a part of the report, Verizon’s agents analysed the actions that lead to the data being breached in the first place. It was revealed that the main reason that somebody working in the healthcare industry caused a breach was for personal financial gain. PHI has a huge black-market value; it is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. In their analysis, Verizon determined that 48% of all internal incidents were conducted for financial gain.
A further 31% involved accessing medical data out of curiosity, with employees snooping on the data of people they know or just for the fun of it. Nearly 10% of incidents were attributed to the data being insufficiently protected and easily accessed. Around 3% of incidents occurred due to a grudge and a further 3% were related to espionage. Similarly, external attacks are primarily conducted for financial gain. Cybercriminals can make huge financial gains from extortion and the theft and sale of data.
Verizon’s report included an analysis of the actions that lead to PHI incidents and data branches. The most common action that resulted in a breach was human errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category. Human error is difficult to correct, so this is a worrying sign for all those working to ensure the integrity of PHI is maintained.
The second biggest breach category is misuse, accounting for 29.5% of all incidents. In breaking this down, the report shows that 66% of these incidents were attributed to privilege abuse – accessing records without authorization. Employees mishandling data mishandling caused 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.
The physical loss of data could be attributed to 16.3% of breach incidents. This includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. Theft accounted for an overwhelming proportion of incidents-95.2% overall. Laptops were stolen more than any other device reported. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of thorough technical safeguards, such as encryption, would prevent the majority of these incidents from exposing PHI.
Although hacking may be at the forefront of public consciousness when it comes to data security, it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents). The increase in the number of phishing attacks means that this number is predicted to increase in the coming years. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.
Malware was involved in 10.8% of all PHI incidents. Ransomware, which blocks a user’s access to a system until a ransom is paid, accounted for an overwhelming 70.5% of attacks.
Social attacks accounted for 8% of all breach incidents. This category involves attacks on employees in order to access PHI. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails.
Following their thorough analysis on the nature and causes of breaches, Verizon offers a series of suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.
Due to the high rate of laptop theft, Verizon recommend that full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed even if the laptop is stolen.
Verizon also recommends the routine monitoring of medical record access, in line with HIPAA legislation. Although this is not a measure that will prevent breaches, it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.
Due to the ever increasing threat of cybercriminals using phishing techniques to access PHI, Verizon strongly recommends the implementation of safeguards against ransomware and malware. This can range from the use of spam filters and web filters to prevent phishing emails from being received to implementing a full training regime to ensure employees know the dangers of phishing attacks and can spot them before sensitive information is compromised.