"What most health systems don’t realize is that many patients will suffer financial loss as a result of cyber attacks on medical information," said Kaveh Safavi, M.D., J.D., and managing director of Accenture’s global healthcare business. "If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft."We might recall that 2015 saw its fair share of complacency in the healthcare industry. For instance, back in April of this year, U.S. HealthWorks sent out a letter to its patients warning them that as a result of a stolen employee laptop, their names, addresses, dates of birth, Social Security Numbers, medical record numbers, insurance information, and/or medical conditions might have been exposed. Just a few months later, a targeted attack against the network of UCLA Health compromised the personal and medical information of nearly 5 million patients. Clearly, these and other incidents like them illustrate the fact that healthcare organizations could be doing more to protect their customers' information. "Many organizations are not doing enough to protect this highly sensitive and confidential data," said Suzanne Widup, co-author of the annual Verizon Data Breach Investigations Report (DBIR). "This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals. Healthcare organizations need to realize that patients trust them with their data and if that trust is broken, the implications can be huge." In part to highlight the consequences of this broken trust, Widup collaborated with a number of analysts to produce the first-ever Verizon Protected Health Information Data Breach Report.
- In all three subcategories, physical compromise, i.e. something stolen, was responsible for most incidents, followed by error and misuse.
- Internal actors caused most of the incidents under the "patient" heading.
- Under the "medical records" category, there were more individual incidents but fewer records exposed overall as compared to the "patient" label.
- The "healthcare" heading saw the least PHI exposed among the three categories at 95 million records.
"This problem illustrates why it is so difficult to measure the true impact of breaches," observes the report's authors. "What many organizations fail to remember is that the data they collect is about the relationship they have with those data subjects. As reports of medical record losses continue to pile up, the trust between medical providers and their patients is being eroded. The implications of this may be wider than practitioners anticipate."With that in mind, it is important that healthcare organizations look into how they can prevent future breaches from occurring. To illustrate, 85% of the incidents in Verizon's study are accounted for by lost and stolen assets (45.4%), privilege misuse (20.3%), and miscellaneous errors (20.1%). Organizations can mitigate against these by implementing encryption and security controls on laptops/mobile devices, designing training programs that emphasize how malicious insiders end up serving jail time, and creating quick and efficient reporting mechanisms for all employees should a miscellaneous error occur. Laurance Dine, managing principal for the Verizon Investigative Response Unit, is well aware of the benefits these types of procedures can have for a healthcare organization looking to protect its customers' information. "Just as a doctor might counsel a patient that there is no ‘miracle pill’ and that they should just eat better, exercise more, and maintain a proper sleep schedule, the same is true for ensuring confidentiality, integrity and availability of these records," he told Infosecurity Magazine. "Assess processes, procedures and technologies that will affect the security of these records and prescribe a proactive treatment that will help the ‘cyber immune system’ better protect the data entrusted to them." If firms take these steps, they can begin to manage some of the risks confronting them today. This will help them begin to earn their customers' trust back, which in turn will lay the foundation for a better, less complacent, and more proactive year in 2016. To read Verizon's report in full, please click here. Title image courtesy of ShutterStock