What does Verizon’s report on data breaches reveal about healthcare?

One of the healthcare industry’s biggest issues is a lack of visibility and it seems to be an impediment to improving security. That was one of the findings of Suzanne Widup, Senior Analyst and co-author of Verizon’s 2013 Data Breach Investigations Report. The highly readable report — the sixth year it has been published — […]

One of the healthcare industry’s biggest issues is a lack of visibility and it seems to be an impediment to improving security. That was one of the findings of Suzanne Widup, Senior Analyst and co-author of Verizon’s 2013 Data Breach Investigations Report.

The highly readable report — the sixth year it has been published — looked at more than 63,000 confirmed security incidents across 50 industries. This marked the first year it included incidents that didn’t lead to the unauthorized transfer of data from a computer.

In a phone interview with MedCity News, she called for more leadership in the industry around the issue of security advocacy.

“We don’t have as much visibility into healthcare as other industries,” Widup said.”We have been trying to work with professional associations but we have not had much success there. We have had some interest in participation from healthcare data aggregators, but it’s a matter of getting more partners. I have not really seen much in the way of leadership in healthcare for advocacy in this area.”

Here are some of the problem areas of data security relevant to healthcare that were highlighted in the report.

Not enough encryption continues to be a big problem in cases where laptops and mobile devices get lost, presumed lost. The way data security protocol is set up, patient data on lost devices are presumed stolen if the patient data is not encrypted. About 46 percent of healthcare data breaches were caused by lost devices containing unencrypted patient data. The only group with a worse record of lost devices triggering breaches is the government. Losing things happens way more than theft by a ratio of 15 to one according to the report. The majority of them occurred in the user’s work area, followed by the person’s vehicle and residence.

“That’s important because it suggests the vast majority of incidents in this pattern are not due to malicious or intentional actions,” according to the report. “Thus, the primary challenge is to a) keep employees from losing things (not gonna happen) or b) minimize the impact when they do.”

Hospitals also need to do a better job, as do people with laptops, of ensuring that medical staff are aware of security protocols and follow them.

Widup also flagged up a couple of other problem areas for healthcare. One fits under the broad subject area of Miscellaneous, but pretty much means human error, particularly when it comes to things like mass mailings. There were more than 16,500 incidents in this category.

Someone’s medical information stuffed into an envelope addressed to someone else.  Veterans Administration hospitals, and other hospitals which tend to do an awful lot of mass mailings, are a common source of this problem. The best remedy is to set up a compensating control to double-check the envelopes. It’s a quality control issue that point-of-sale security breaches are also a big source of theft in healthcare.

Privilege abuse is another problem that impacts healthcare organizations. There were 11,698 incidents last year that included folks using privileged access to look up private data and transmit it. Personal data was at risk in 34 percent of these incidents and payment data was at risk in nearly 30 percent of these cases. If they are working for a contractor these individuals could be sent into these organizations with the purpose of generating info for tax fraud. It illustrates the importance of having an audit trail.  As the report points out:

“Discovery methods for the majority of breaches have traditionally been dominated by external signals. For insider misuse, however, internal methods (55 percent) are responsible for detecting more incidents than external methods (45 percent). The most common way organizations detected insider crimes was when employees reported them. Discoveries triggered by financial and IT audits were also very common. Reviewing the books on Monday morning is an example of the former, and a promising example of the latter is a regular process to review access for exiting employees.”

 

 

 

 

Topics