Verizon security researchers already well known for their annual Data Breach Report, have released a new version of this report targeted specifically, at breaches involving personal health information. The study looks at the causes behind medical data loss and what providers can do to mitigate those risks.
The report covers more than 1,900 breaches and 392 million records, to create a dataset around personal health information breaches. The loss of personal health information can happen in many industries, not just healthcare. Any industry with employees that are involved in insurance, workers comp, or wellness programs may have some of their health information stored with an employer or an insurance company.
According to the data, many breaches come from external actions like an adversary specifically targeting these types of records but almost as many are the result of human error. As a result of the growth of breaches in healthcare, individuals have started to hold back information, afraid that it might get out and that could mean making a diagnosis take longer or is missed altogether.
“Recent studies have found that people are withholding information—sometimes critical information—from their healthcare providers because they are concerned that there could be a confidentiality breach of their records. This is not only a potential issue for the treatment of a specific patient; there are potential public health implications. An unwillingness to fully disclose information could delay a diagnosis of a communicable disease. This is especially true if the disease has an attached stigma,” report authors write.
This trend makes it difficult to quantify the full scope of impact health data breaches may have over the long-term. Bhavesh Chauhan, Principal Client Partner — Security Solutions, Verizon Enterprise Solutions tells CivSource that organizations with access to this type of data will have to improve training and security standards not only for better protection but in order to maintain trust. Policymakers as well will need to take a close look at security standards and frameworks that enable better risk management.
“It’s not just training, organizations need to look at their systems and find ways to harden them,” Chauhan says. “It will require resources up front, but that initial cost is likely to be less than the cost to clean up a large incident.”
Data in the report shows that over 45 percent of the breaches come from lost or stolen assets while another 20 percent come from privilege misuse. Authors suggest that better encryption will be necessary to get a handle on this. “First among the patterns is Lost and Stolen Assets. It is frustrating to see this category return year after year because it’s one of the more easily solved problems. Encryption (particularly of portable devices) offers a figurative “get out of jail free” card since the data remains secure despite the loss of control over the asset. In the vast majority of cases, this means the incident does not trigger a duty to report under most breach laws,” they write.
Still, healthcare data may need easy access in emergency situations. Report authors push back on this argument too – “not all of these assets had a function where emergency access is likely to be needed. We’ve seen researchers’ laptops holding significant numbers of records being lost or stolen that would not endanger patients if the asset had security controls.”
In their conclusion, the security researchers say that despite losses and a hesitancy to encrypt data, some organizations are getting better at creating a security culture. Once that awareness is in place, providers, and other entities will be able to detect breaches faster and improve their data protection and breach reaction.