Verizon has published its yearly Protected Health Information Breach Report which digs deep into the main factors behind the breaches, why they happen, the motivations of internal and external threat actors, and the main dangers to the confidentiality, integrity, and availability of private healthcare information.
For the report, Verizon reviewed 1,368 healthcare data violations and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although 75% of the breached bodies were located in the United States where there are more stringent requirements for reporting PHI incidents.
As opposed to all other industry sectors, the healthcare industry is unique as the largest security threat is internal. Insiders were to blame for almost 58% of all breaches with external actors reported as being responsible for just 42% of incidents.
The main causing factor for insider breaches is financial profit. PHI is taken to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon ruled that 48% of all internal incidents were carried out for financial gain. 31% involved accessing medical data out of curiosity or to pass time, 10% of incidents were caused by easy access to data, with 3% of incidents happening due to a grudge and a further 3% for espionage. External attacks are primarily carried out for financial gain – extortion and the theft and sale of data.
Verizon also reviewed the actions that lead to PHI incidents and data branches, with the most common issue being mistakes. Mistakes were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, mistakes made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and incorrect data entry. The main incident cause was wrong delivery of documents, which was to blamefor 20% of all incidents in the error range.
The second largest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were caused by privilege abuse – accessing records without proper permission. Data mishandling was behind 21.6% of incidents experienced and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse range.
The physical category includes taking of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were classified in this category, with theft responsible for 95.2% of all incidents. The theft of laptops was the main incident type experienced. Almost half (47%) of laptop theft incidents saw the devices being taken from staff members’ vehicles. The use of encryption would stop the majority of these incidents experienced from exposing PHI.
Despite hacking being widely reported it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this range. The main cause of violations in the hacking category was the use of stolen details (49.3% of incidents), with credentials often obtained via phishing attacks. Brute force attacks targeting weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoor entry methods.
Malware was seen in 10.8% of all PHI incidents. While there were a wide variety of malware types and variants used in attacks, by far the largest category was ransomware, which was to blame for 70.5% of attacks.
Social attacks made up 8% of all incidents. This category involves attacks on staff members. Phishing was encountered in 69.9% of incidents in this category, followed next by pretexting (11.7%), and bribery (7.8%). Pretexting is the next evolution phishing, when access to email accounts is used to send further emails – BEC attacks for example.
Verizon offers three possibilities which in the short term will assist in reducing the amount of PHI related incidents and data breaches.
Full disk encryption should be installed on all portable electronic devices used to hold PHI. This simple tactic would stop PHI from being accessed in the event of loss or theft of an electronic device.
The routine monitoring of medical history access – a requirement of HIPAA – will not stop breaches, but it will reduce the severity of insider incidents and allow healthcare groups to take corrective action swiftly. When staff members are aware that records are routinely reviewed it can also act as a deterrent and minimize theft and unauthorized access incidents.
The last course of action is to adapt solutions to combat ransomware and malware. While defenses can and should incorporate the use of spam filters and web filters, simple tactics can also be taken such as not permitting laptops to access the Internet if they are used to save large quantities of PHI.
