The theft of health information from non-healthcare organisations has become quite a problem, according to new research from Verizon, who says 18 out of 20 industries examined were affected.
According to the company, most organisations outside of healthcare do not realise they hold medical data, however protected health information can be found across most industries in employee records and wellness programs and are generally not well protected.
“Many organisations are not doing enough to protect this highly sensitive and confidential data,” explains Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report.
“This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organisations and individuals. Protected health information is highly coveted by today’s cybercriminals,” she says.
According to recent studies called out in the report, people are withholding information – sometimes critical information – from their healthcare providers because they are concerned that there could be a data breach, Widup says.
“Healthcare organisations need to realise that patients trust them with their data and if that trust is broken, the implications can be huge,” she says.
According to the report’s findings, medical record data is often taken with malicious intent; however, it is frequently the personable identifiable information (PII), like credit card and social security numbers, that attackers are really after in order to facilitate financial crimes and tax fraud.
Differences are also evident in how the breach occurs, Widup says. The primary action of attack is theft of lost portable devices (laptop, tablets, thumb drives), followed by error, which can simply be sending a medical report to the wrong recipient or losing a laptop.
Third is misuse that can result from an employee that abuses his/her access to the information. These three actions make up 86% of all breaches of PHI data, Widup explains.
“In addition, the time to discovery most frequently falls into the months and sometimes years category,” she says.
“For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.”
“While detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud, the media and industry researchers continue to shine a light on the loss of highly personal data in order to bring much needed attention to this issue,” Widup says.
According to the study, nearly half of the population of the United States has been impacted by breaches of PHI since 2009. Furthermore, the FBI issued a warning to healthcare providers in early 2015 stating that the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.
“To help address this issue, Verizon offers insights and recommendations in the report on how to best protect data in addition to illuminating the fact that PHI data is contained in many more places than organizations realise,” Widup explains.