Data breaches are on the rise in healthcare organizations, but hackers aren’t after your health data, according to security experts at HIMSS15.
There’s no question that data security breaches are on the rise. Over 7 million patient records were impacted by data breaches in 2013. The number of healthcare organizations reporting criminal attacks doubled from 20% in 2010 to 40% in 2014.
Verizon’s 2015 Data Breach Investigations Report, released at HIMSS15, surveyed 70 organizations in a wide range of industries from 61 different countries. The report makes a distinction between two similar, yet distinct security issues. A security incident is defined as “any event that compromises the confidentiality, integrity, or availability of an information asset.” A data breach is an incident that results in the disclosure of information rather than just exposure.
Among those organizations surveyed from the healthcare industry, there were 234 security incidents, and 141 data breaches. In healthcare, 32 percent of data breaches were the result of miscellaneous errors, 26 percent were the result of privilege misuse, and 16% were due to lost or stolen assets.
Whoops, they did it again
According to Suzanne Widup, network and data security expert and co-author of the Verizon report,
We see data breaches, in healthcare especially, the top risk is actually errors. It’s not, you know, the hackers coming after you—it’s errors. It’s people who post something sensitive on a website, and there’s no controls on it, and Google finds it.
Miscellaneous errors, as defined by the report, occur in three basic ways.
- 30% of errors resulting in data disclosure occur because sensitive information gets into the hands (or inboxes) of the wrong person.
- 15% of these errors occur because someone publishes non-public data to the Internet
- 12% are due to insecure data disposal
An inside job
“It’s not just when data goes out[side of the organization] that it’s at risk,” said Suzanne Widup in a Verizon-hosted panel discussion nuviun attended at at HIMSS15.
It can be particularly frustrating when the culprit of a data breach comes from inside the organization. These are folks that organizations have already supposedly vetted and trusted with sensitive information with certain expectations that the data will be used as intended.
Sometimes, according to the Verizon report, these data thieves sell the information to competitors, or use it to develop their own businesses. Other times, it’s for a less malicious (but possibly equally dangerous) purpose, like building a convenient workaround to speed up their workflow.
Similar to the results of 2013, 55% of theft incidents occurred in the victim’s work area, and 22% were from an employee-owned vehicle. Remarkably, it can take days to discover these kinds of incidents.
Hackers aren’t after your health data
Health information exchanges (HIEs), which allow the exchange of electronic medical records, are treasure troves for attacks. Crooks looking to steal data target health organizations for the rich data sets they find in HIEs.
While it may not be much consolation, data security experts claim that most people who steal data are not after your personal health information, the panel of data security experts agreed. Data thieves are after personally identifiable information, such as social security numbers, names, addresses, and credit card information from co-pays for the purposes of identity theft.
In a 2013 interview with eWeek, Widup said:
We find that the health care breaches act a lot like retail breaches in as much as that it's the organized crime groups going after the payment chain, so they're looking for the credit cards and the Social Security numbers they can turn into money.
Keeping Security Healthy
Widup suggests that healthcare organizations (i.e., hospital systems, health insurance companies, etc.) consider how unrelated industries, even dry cleaners, and ticketing services for spectator sports and the performing arts, secure their data. No industry is an island when it comes to data security, and it’s possible that these industries can share their best practices for the greater good.
In addition to a more collaborative, industry-inclusive approach when it comes to data security, Widup and other panel members recommend looking for unusual activity in charts, and more frequent checks of workspaces to ensure devices are secure rather than just conducting annual risk reviews. It’s important to test to see how long it takes for incidents to be detected.
Widup recommends that healthcare organizations “take a data centric view of the risk. Find out where your data—especially your sensitive data—is most at risk and make sure you’ve got the controls around it. In addition, [I tell people] not just to focus on one particular kind of risk.”