- Reducing paper-based PHI and establishing a holistic risk management program are critical ways organizations can work toward healthcare PHI data breach prevention, according to Verizon research.
Healthcare is the only industry where insider threats posed the greatest threat to sensitive data, with 58 percent of incidents coming from insiders, the 2018 Protected Health Information Data Breach Report found.
Verizon analyzed 1,368 security incidents across 27 countries, utilizing information from its 2017 Data Breach Investigation Report.
Approximately one-third (33.5 percent) of threat actions were from error, with 29.5 percent coming from misuse. Physical threats (16.3 percent), hacking (14.8 percent), and malware (10.8 percent) were also top threat action categories.
Even with the increased push to digital health records, paper records are causing data security problems for healthcare organizations, the study showed. Hard copy documents were the assets most often involved in incidents involving error.
Of the error incidents involving unintentional actions directly compromising information, 38.2 percent were caused by misdelivery and 17.2 percent stemmed from disposal error.
Employees misusing or abusing their access privileges could also create insider threats. Two-thirds of all incidents involving unapproved or malicious use of organizational resources came from privilege abuse.
Data mis-handling (21.6 percent), possession abuse (16.9 percent), and knowledge abuse (4.2 percent) were also key contributors to data breaches from types of misuse.
“Access to a great deal of sensitive information is necessary for healthcare professionals to successfully carry out their duties,” the research team explained. “But along with that access comes the relatively easy ability to abuse it.”
Ninety-one percent of all malware incidents involved ransomware, research determined.
“Due to HHS regulations, ransomware outbreaks are to be treated as breaches (rather than data at risk) for reporting purposes,” the research team wrote. “That poses the question: is it that healthcare organizations are doing a poor job of preventing ransomware attacks or does it only appear that way because they are required to report them all and other industries aren’t?”
“The answer is probably a little bit of both—it’s only fair to point out that ransomware accounts for a very large percentage of malware in other industries as well,” researchers continued.
Phishing attacks accounted for nearly 70 percent of all social attacks, which is when individuals are specifically targeted to gain access to their data or systems. Pretexting was the second most common type of social engineering attack, accounting for 11.7 percent.
Pretexting is “when the criminal emails, calls or otherwise engages an employee in a conversation with end goals such as duping the employee into providing them with their username and password or other sensitive data,” researchers explained.
There is also room for improvement with regard to the time frame of healthcare data breaches, Verizon found. Approximately one-third of data breach incidents were not discovered for years, with another third of data breaches going undiscovered for months.
Healthcare organizations need to have a strong audit process and ensure that they are regularly monitoring and updating access controls, the researchers concluded. This can help give necessary access to the right providers, but also work toward decreasing inappropriate data access or snooping.
“There will always be a balancing act that healthcare security officers must face, but there’s room for reduction of attack surface and internal threat,” the report explained.
A good healthcare risk management program will also need to include current and comprehensive data breach detection measures. Table top exercises, employee training, and reviewing Internet of Things (IoT) security are just a few prevention and detection necessities.
“To initiate [incident response] procedures and checklists, the discovery of a breach must occur,” researchers stated. “Improvements in detection of potential security incidents and/or data breaches are a core component of the overall risk management program.”
OCR also stressed the importance of identity and access management (IAM) policies in its November 2017 Cybersecurity Newsletter. There must be appropriate access to data, with a focus on properly creating and managing user accounts.
Those accounts also need to be terminated at the right time, such as when an employee quits.
“When an employee or other workforce member leaves, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI) by ensuring that the former workforce member’s access to PHI is effectively terminated,” OCR wrote. “Also make sure that mobile devices like laptops and smartphones are returned, and if the use of ePHI on personally-owned phones or other devices is permitted, that those devices are cleared or purged of ePHI.”
Audit logs are also important for IAM policies, OCR noted. Entities must document whenever access is granted (both physical and electronic) to employees, when individual privileges increase, and when equipment is given to individuals.
“Have standard procedures of all action items to be completed when an individual leaves – these action items could be incorporated into a checklist,” the agency stated. “These should include notification to the IT department or a specific security individual of when an individual should no longer have access to ePHI, when his duties change, he quits, or is fired.”