Do Healthcare Breaches Undermine Trust?

In the spring of 2014, the Federal Bureau of Investigations sent out a private notice to healthcare providers warning them that as a result of lax security controls in their field, the healthcare industry as a whole was more prone to "cyber intrusions" than the financial and retail sectors. Unfortunately, this threat has not changed in the past year. Taking into account the intrinsic value of healthcare data as compared to other types of information, organizations that fail to make information security a priority risk losing $300 billion of cumulative lifetime revenue, damages which in part reflect Accenture's prediction that one in 13 patients in the United States will have their medical and/or personal information compromised over the next 3-4 years.

"What most health systems don’t realize is that many patients will suffer financial loss as a result of cyber attacks on medical information," said Kaveh Safavi, M.D., J.D., and managing director of Accenture’s global healthcare business. "If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft."

We might recall that 2015 saw its fair share of complacency in the healthcare industry. For instance, back in April of this year, U.S. HealthWorks sent out a letter to its patients warning them that as a result of a stolen employee laptop, their names, addresses, dates of birth, Social Security Numbers, medical record numbers, insurance information, and/or medical conditions might have been exposed. Just a few months later, a targeted attack against the network of UCLA Health compromised the personal and medical information of nearly 5 million patients. Clearly, these and other incidents like them illustrate the fact that healthcare organizations could be doing more to protect their customers' information. "Many organizations are not doing enough to protect this highly sensitive and confidential data," said Suzanne Widup, co-author of the annual Verizon Data Breach Investigations Report (DBIR). "This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals. Healthcare organizations need to realize that patients trust them with their data and if that trust is broken, the implications can be huge." In part to highlight the consequences of this broken trust, Widup collaborated with a number of analysts to produce the first-ever Verizon Protected Health Information Data Breach Report. The study examines the problems associated with medical data loss and treats the notion of protected health information--that is, personally identifiable health information of an individual that is protected under a law at or above the state level--as its analytical starting point. Widup and her co-authors searched through the DBIR as well as the Vocabulary for Event Recording and Incident Sharing (VERIS) Community Database (VCDB) and arrived at a dataset of 1,931 separate records, with the majority of the incidents occurring between 2004 and 2014. In total, 90% of the North American Industry Classification System (NAICS) codes are represented across the events, which were centralized in 25 different countries (87% occurred in the United States.) and compromised 392 million records. (The actual number of exposed records could be significantly higher, however, as 24% of the incidents did not come with an exact number of affected customers.) The study's dataset represents a comprehensive understanding of how PHI can be compromised and therefore extends beyond the "healthcare" industry. "Medical records" as a lost data type and a "patient" subject/victim relationship were also taken into consideration, which means that a unique variety of industries--including agriculture, real estate, and transportation--were examined in the analysis. This inclusion likely reflects breaches relating to worker compensation claims, wellness programs, and health insurance offerings, the authors note. Overall, the analysts found that approximately half (903) of the incidents in their dataset were caused by external actors. But with 791 incidents attributable to internal actors, it is clear that the insider threat is still a serious concern to organizations. By far the most common means of compromise was physical (677 incidents), such as installing skimming devices on ATMs and gas pumps, followed by error (524), misuse (362), hacking (215), malware (110), and social (50). All of these malicious actions compromised at least one of the following types of information: PHI, payment or payment card industry (PCI) information, personal or personally identifiable information (PII), and credentials. Further investigation revealed, however, that high-bulk credential breaches were an exception. In most cases, credentials were individually exposed by a phishing email or keylogger and subsequently abused as a gateway to other types of information, which were predominantly stolen by the thousands out of databases. The authors then went on to break down the incidents according to their three separate headings: "patient" (a subject/victim relationship category), "medical records" (a data type category), and "healthcare" (an industry category). Some notable findings are presented below:

• In all three subcategories, physical compromise, i.e. something stolen, was responsible for most incidents, followed by error and misuse.
• Internal actors caused most of the incidents under the "patient" heading.
• Under the "medical records" category, there were more individual incidents but fewer records exposed overall as compared to the "patient" label.
• The "healthcare" heading saw the least PHI exposed among the three categories at 95 million records.

Given the number of industries and records compromised in the report's dataset, it is no wonder that Widup and her colleagues point to instances in which patients are withholding information from their providers out of the fear of a data breach. As Sara Peters of DarkReading writes, a Harvard study found that 12.3% of respondents had withheld information from a healthcare provider because of security concerns, whereas a study from Dartmouth and the University of Wisconsin-Milwaukee found that 13% of respondents reported having withheld information due to privacy/security concerns.

"This problem illustrates why it is so difficult to measure the true impact of breaches," observes the report's authors. "What many organizations fail to remember is that the data they collect is about the relationship they have with those data subjects. As reports of medical record losses continue to pile up, the trust between medical providers and their patients is being eroded. The implications of this may be wider than practitioners anticipate."

With that in mind, it is important that healthcare organizations look into how they can prevent future breaches from occurring. To illustrate, 85% of the incidents in Verizon's study are accounted for by lost and stolen assets (45.4%), privilege misuse (20.3%), and miscellaneous errors (20.1%). Organizations can mitigate against these by implementing encryption and security controls on laptops/mobile devices, designing training programs that emphasize how malicious insiders end up serving jail time, and creating quick and efficient reporting mechanisms for all employees should a miscellaneous error occur. Laurance Dine, managing principal for the Verizon Investigative Response Unit, is well aware of the benefits these types of procedures can have for a healthcare organization looking to protect its customers' information. "Just as a doctor might counsel a patient that there is no ‘miracle pill’ and that they should just eat better, exercise more, and maintain a proper sleep schedule, the same is true for ensuring confidentiality, integrity and availability of these records," he told Infosecurity Magazine. "Assess processes, procedures and technologies that will affect the security of these records and prescribe a proactive treatment that will help the ‘cyber immune system’ better protect the data entrusted to them." If firms take these steps, they can begin to manage some of the risks confronting them today. This will help them begin to earn their customers' trust back, which in turn will lay the foundation for a better, less complacent, and more proactive year in 2016. To read Verizon's report in full, please click here. Title image courtesy of ShutterStock