Medical records theft is a plague on health care, other industries

Public pressure is growing for companies to protect sensitive data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Each time a Com­mu­ni­ty Health Sys­tems or an Anthem or a Pre­mera Blue Cross gets hacked, sen­si­tive patient records flood into the cyber underground.

 But cyber thieves are by no means the only par­ties respon­si­ble for expos­ing sen­si­tive infor­ma­tion pro­tect­ed by the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act.

Com­pa­ny insid­ers also are play­ing a major role in PHI—protected health infor­ma­tion—get­ting into the wrong hands.

Upcom­ing webi­nar: Nav­i­gat­ing Iden­ti­ty Theft: How to Edu­cate and Pro­tect Your Employ­ees and Clients

What’s more, it is not just med­ical facil­i­ties and health care insur­ers los­ing PHI. Gov­ern­ment agen­cies, finan­cial ser­vices com­pa­nies, law and account­ing firms, and even retail­ers are los­ing health care data at an alarm­ing rate.

Those are the big take­aways from Verizon’s 2015 Pro­tect­ed Health Infor­ma­tion Data Breach Report, a spe­cial look at more than 1,500 actu­al inci­dents, pre­dom­i­nant­ly in the Unit­ed States, in which at least 392 mil­lion PHI records have turned up lost or stolen. Most of the inci­dents occurred between 2004 and 2014.

The report was assem­bled by the same team of inves­ti­ga­tors and ana­lysts respon­si­ble for Verizon’s high­ly regard­ed Data Breach Inves­ti­ga­tions Report, an annu­al assess­ment of pat­terns found in hun­dreds of actu­al data breach investigations.

Verizon’s ana­lysts found:

  •  42 per­cent of PHI data loss inci­dents were attrib­ut­able to inter­nal par­ties, while 50 per­cent could be blamed on exter­nal actors.
  • In 45 per­cent of inci­dents, PHI was exposed due to lost or stolen com­put­ing devices.
  • Health care orga­ni­za­tions report­ed 1,403 breach­es involv­ing med­ical records; pub­lic agen­cies, 177; finan­cial com­pa­nies, 113; retail­ers, 32; and pro­fes­sion­al firms, 35.

Lost devices big threat

The big take­away for Marc Spitler, senior ana­lyst for Ver­i­zon Enter­prise Solu­tions and one of the report authors, was the high rate of lost com­put­ing devices car­ry­ing unen­crypt­ed PHI.

Marc Spitler, Verizon Enterprise Solutions senior analyst
Marc Spitler, Ver­i­zon Enter­prise Solu­tions senior analyst

We’re a lit­tle sur­prised and dis­ap­point­ed that we’re still see­ing such a sig­nif­i­cant amount of lost and stolen devices being report­ed as poten­tial vec­tors of PHI theft,” Spitler says.

After all, full-disk encryp­tion (FDE) is “a very basic secu­ri­ty mech­a­nism” that ren­ders sen­si­tive data on lap­tops unus­able, Spitler points out. Full-disk encryp­tion amounts to a “get-out-of-jail-free card,” since lost or stolen devices con­tain­ing pro­tect­ed data are not required to be report­ed to author­i­ties, he says.

Robin Daniels, chief rev­enue offi­cer for Vera, a data secu­ri­ty com­pa­ny, feels much the same. “It’s near­ly crim­i­nal to me that the num­ber (of unen­crypt­ed devices) is this high in 2015,” Daniels says.

Daniels says that encryp­tion is still wide­ly viewed as cum­ber­some and expen­sive, which it used to be—20 to 30 years ago.

Robin Daniels, Vera chief revenue officer
Robin Daniels, Vera chief rev­enue officer

Of course, that’s not the case any­more,” says Daniels, adding that data pro­tec­tion and encryp­tion have become top pri­or­i­ties for many industries.

Com­plex­i­ties ham­per security

Still, the health care indus­try lags behind oth­er sec­tors in imple­ment­ing secu­ri­ty tools such as encryp­tion. Even the FBI issued a warn­ing that this sec­tor is much less resilient than oth­ers, such as the finan­cial and retail sectors.

Part of the chal­lenge is that inte­grat­ing tech­nol­o­gy and health care deliv­ery is much more com­plex, says Michael Ebert, a health care and life sci­ences con­sul­tant at KPMG.

A typ­i­cal med­ical envi­ron­ment can have tens of thou­sands of end­points, includ­ing employ­ee mobile devices, treat­ment equip­ment and scan­ning machines, Ebert says. “A lot of that tech­nol­o­gy is not encrypt­ed because it requires FDA approval, and that process takes a long time,” he adds.

Fur­ther­more, dis­parate subsystems—the oper­at­ing room, emer­gency depart­ment and inten­sive care unit, for instance—have to be seam­less­ly inte­grat­ed, says Michelle Knighton, a lab man­ag­er at ICSA Labs, which cer­ti­fies secu­ri­ty and health IT products.

All those sys­tems have to work togeth­er to pro­vide that cen­tral patient record to the physi­cian,” she says. “That adds com­plex­i­ty and intro­duces more weaknesses.”

False peace of mind

Knighton sees a move­ment toward encryp­tion, but it’s lim­it­ed most­ly to tech­nol­o­gy such as elec­tron­ic health record sys­tems, which have manda­to­ry min­i­mum secu­ri­ty features.

Michelle Knighton, ICSA Labs lab manager
Michelle Knighton, ICSA Labs lab manager

Com­pli­ance doesn’t equal secu­ri­ty,” she says. “There’s a mis­con­cep­tion that using a cer­ti­fied EHR sys­tem that’s been test­ed for cer­tain secu­ri­ty cri­te­ria pro­vides a guar­an­tee that a sys­tem can’t be breached and data won’t be lost. That’s com­plete­ly untrue.”

Many health care orga­ni­za­tions are real­iz­ing that com­pli­ance is not enough. Ebert says in the past, enti­ties were most­ly inter­est­ed in the cri­te­ria imposed by HIPAA. But in the past six months, he’s seen a grow­ing inter­est in apply­ing a much broad­er frame­work to security.

Orga­ni­za­tions are get­ting more cyber­se­cu­ri­ty guid­ance, and they’re start­ing to look at it in a more com­plex way,” he says.

And the health care indus­try is not the only one on the hook for secur­ing PHI. Ver­i­zon found that almost one-third of med­ical record breach­es occurred in oth­er sectors.

Even if you’re in indus­try X, real­ize that if you have employ­ees, you may have PHI and you need to know where that infor­ma­tion resides and what pro­tec­tions you have in place,” Spitler says.

He notes that even when med­ical infor­ma­tion is breached, the bad actors often are after oth­er data, such as Social Secu­ri­ty num­bers and finan­cial information.

The attack­ers are look­ing more for weak­ness­es in cer­tain sys­tems than going after spe­cif­ic cor­po­ra­tions; the attacks are more oppor­tunis­tic than tar­get­ed,” he says.

Regard­less of the indus­try, Daniels believes there’ll be mount­ing pres­sure for com­pa­nies to pro­tect their data.

I think what will be a water­shed moment in 2016 is that the pub­lic is going to demand it,” he says. “Any orga­ni­za­tion will be expect­ed to pro­tect you from breaches.”

More on med­ical records security:
Cloud use increas­es data secu­ri­ty risk for health care organizations
Health care sec­tor not doing enough to pro­tect patient data
Health care, bank­ing com­pa­nies issue eas­i­ly spoofed emails