Verizon Communications on Thursday released a much-hyped report on health data breaches. Many of the headlines elsewhere screamed that breaches of protected health information — as defined by HIPAA — go far beyond the healthcare industry. According to the telecom giant, 90 percent of the industries studied have experienced health data breaches.
(At least one headline was wrong, by the way. Health IT Security incorrectly reported that 87 percent of all PHI breaches took place in the U.S. Verizon simply warned of bias because 87 percent of the incidents it had analyzed were from the U.S. This wasn’t meant to be an exhaustive study; it left out all of Latin America, and Africa, plus significant parts of Europe, including Russia.)
But what did the report say beyond the headlines?
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
Verizon, based in Basking Ridge, New Jersey, said that it pored over 1,931 incidents from 25 countries, comprising at least 392 million patient records. Here are six interesting things from that analysis:
1. The total number of records potentially compromised by those nearly 2,000 breaches may be much higher than 392 million, since 24 percent of organizations that suffered security breaches “did not provide a finite number of records involved,” Verizon said.
2. The education, retail and finance industries are fairly susceptible to PHI breaches. Why? Self-insured entities certainly manage healthcare data. Any company involved in a worker’s compensation claim could have individual’s health information.
3. Hacking is less common than some might think, particularly in the wake of several high-profile hacks against U.S. health insurers this year. Just 215 of the 1,931 breaches Verizon analyzed were the result of hacks. Physical breaches — think skimmers on ATMs other card readers, as well as, presumably, theft of paper records — were the most common. Human error and simple misuse of PHI also were responsible for more breaches than hacking.
4. In healthcare, the “Nefarious Nine” are more like a “Threatening Three.” Though Verizon has been producing reports on data breaches since 2008, this is the first time the company has directly addressed healthcare data breaches. In the general reports, Verizon has identified a “Nefarious Nine” patterns that account for 96 percent of breached data. In healthcare, lost or stolen assets, privilege misuse and “miscellaneous errors” — think information misplacement, misdelivery, disposal errors and publishing mistakes — were responsible for 85 percent of the incidents.
5. Insider attacks take the longest to detect. If it took years rather than months for the affected organization to realize it had suffered a PHI breach, it was more than three times more likely that an insider abused access privileges. “This really speaks to the need for detective controls that can uncover this type of behavior,” Verizon said.
6. Verizon’s researchers have a sense of humor. Who knew that a member of the Dow 30 would allow such a lighthearted tone in a serious report? An “attack graph” that Verizon likened to a “big knot of kill chains” had the following footnotes: “Or a plate of spaghetti. Who knew breach research can also make you hungry? Seriously, back to kill chains”; and “Does it remind you of that nail-and-string art from the 1970s? No, me neither—I’m not old enough to remember that.”
Also on Thursday, India-based MarketsandMarkets estimated that the global health IT security market would be worth $9.9 billion by 2020, up from $4.9 billion this year. That represents a compound annual growth rate of 15 percent.
Photo: Bigstock
