- PHI is being accessed in healthcare data breaches at an alarming rate, and the United States is the prime location for those incidents, according to the first-ever Verizon Protected Health Information Data Breach Report.
The report shows that in the course of the past year, there have been nearly 392 million patient files containing PHI breached across 1,931 incidents in 25 countries. Nearly 87 percent of these incidents occur in the U.S.
The breadth of this issue is cause for concern, and highlights a need for the healthcare industry to determine best practices for PHI protection.
Most surprising, Verizon found that nearly 90 percent of the 20 industries examined had experienced a PHI data breach. This means that these incidents reach farther than just healthcare organizations.
This happens because several organizations from other industries still need to collect limited health information regarding clients and employees. For example, an employer may need medical information for insurance purposes or workers compensation.
These situations may become complicated when considering HIPAA compliance, Verizon says.
“Whether they manage these programs directly (as self-insured entities), or they are getting information from the partner that handles this type of benefit, these can be sources of PHI in organizations that are not covered by HIPAA,” the report states. “Even though an organization is not a HIPAA-covered entity, if PHI is disclosed, many of the existing laws will require notification of a breach to any potentially affected party.”
Verizon also categorized the PHI data breaches by various characteristics, including type of actor. The most prevalent actor was external, followed by internal, and then a partner. Interesting patterns emerged when looking at the kinds of breaches different actors conduct.
For example, hacking is typically done by an external actor, errors are usually conducted by internal actors, and phishing scams can be performed by either external or internal actors.
As far as specific kinds of incidents go, Verizon has boiled these down to the nine most common issues.
The most common incident was lost or stolen assets with nearly 45 percent of incidents characterized as such. This was followed by privilege misuse, miscellaneous errors, a catch-all category, point of sale, web applications, crimeware, cyber espionage, and payment card skimmers.
The report also investigated the kinds of data included in a PHI breach. The three most common data types included medical records, payment or financial information, and personally identifiable information (PII).
The report also touched upon credentials breaches during which an actor obtains an employee’s username, password, and other login credentials in order to access more information. Although these are not PHI breaches per se, Verizon points out that they can easily lead to widespread PHI data breaches.
However, credentials breaches are most widespread when they affect a minimal number of individuals. In contrast, medical records and PII breaches are most common when they affect a large number of individuals. Financial information breaches are equally common for both small and large numbers of individuals.
Verizon pointed out that one of the long-term negative impacts of PHI data breaches is the distrust between patient and provider. Sharing personal health information is already a difficult thing to do for some, and the knowledge that the information could potentially be breached often motivates some patients to not disclose potentially vital health information. This could cause catastrophic public health issues.
“Recent studies have found that people are withholding information—sometimes critical information—from their healthcare providers because they are concerned that there could be a confidentiality breach of their records,” the report confirmed. “This is not only a potential issue for the treatment of a specific patient; there are potential public health implications.”
Although this problem appears daunting, Verizon explained that the healthcare industry has made notable headway in detecting and resolving PHI data breaches in a timely manner. Additionally, enforcement guidelines are increasing, thus providing incentive for healthcare organizations to implement impeccable security protocol.
However, the report explains that there is still much to do about this issue, namely in the area of prevention. Although there is no immediate fix, healthcare organizations can continue to consult studies such as this one to understand the state of PHI security and receive council on how to next proceed.
Currently, Verizon executives maintain that providers can glean from their report is that there is more that can be done to prevent against these PHI security attacks.
“Many organizations are not doing enough to protect this highly sensitive and confidential data,” said senior analyst and lead authors for the Verizon Enterprise Solutions report Suzanne Widup in a statement. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals.”
Image Credit: Verizon 2015 Protected Health Information Data Breach Report