- Healthcare data breaches in 2015 were more likely to be caused by human error in the form of stolen or lost assets, insider and privilege misuse, and miscellaneous errors, such as improper device disposal or mishandling PHI, reported Verizon in its “2016 Breach Investigations Report.”
Researchers at Verizon set out to discover and understand the primary motivations behind data breaches across various industries, including healthcare.
While the healthcare industry was only ranked 10th in the most data security incidents out of the 21 total industries studied, there were still 166 healthcare data security incidents reported in 2015.
Of the 166 healthcare security events, Verizon reported that 115 were confirmed healthcare data breaches.
As the report stated, the majority of healthcare data security incidents were caused by some form of human error.
“You might say our findings boil down to one common theme -- the human element,” Verizon Enterprise Solutions Executive Direction Bryan Sartin said in a press release on the study. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we've known about for more than a decade now.”
For reported security events, 32 percent were caused by stolen assets, 23 percent involved privilege misuse, and 22 percent were the result of miscellaneous errors, including inappropriate publishing of information and sending PHI to the wrong individual.
With confirmed healthcare data breaches, privilege misuse led to 32 percent of incidents followed by miscellaneous error at 22 percent, and stolen devices at 10 percent.
In terms of stolen and lost assets, the healthcare industry has seen a rise in security incidents caused by physical theft or loss compared to the 2015 Verizon Data Breach Investigations Report.
The study showed that laptops were usually the most common device to steal or lose across all industries.
The devices were more likely to be taken from the victim’s work area (39 percent) and the victim’s personal vehicle (33.9 percent).
The healthcare industry is no stranger to potential healthcare data breaches caused by stolen devices. In a recent possible data breach, approximately 52,076 individuals were notified of potential PHI exposure at a Kansas-based addiction treatment facility after a work-issued laptop containing patient information was stolen from an employee’s car.
Researchers recommended that businesses implement more data encryption strategies, provide staff training on physical security, and establish policy violations with possible consequences losing sensitive data.
Many healthcare data security incidents were also caused by insider or privilege misuse, which involved inappropriate or malicious use of company resources. The majority of events were the result of privilege abuse followed by data mishandling and the use of unapproved hardware and software.
Approximately 77 percent of misuse events were caused by an internal actor. One-third of the internal actors were end users who could access sensitive data as part of their job. An estimated 14 percent were in some type of management position while 14 percent were in positions with more access to data, such as system administrators or developers.
For healthcare providers, data mishandling in the form of improperly mailing patient information or uploading PHI to a sharing service are common occurrences. There is also a convenience factor involved, such as using unapproved services to store PHI because it speeds up workflows.
To prevent future data breaches from misuse, researchers suggested that organizations monitor employee activity and be hypervigilant of access controls for sensitive data.
Rounding out the top three causes of healthcare data security incidents is miscellaneous errors, such as mis-delivery, publishing errors, and improper disposal of documents or devices containing unencrypted sensitive data.
The majority of these reported events are discovered by an external source, such as a customer or auditor. Out of the 52 miscellaneous incidents in 2015, 43 were found by external actors.
Organizations should develop a system for recording common employee errors, map the errors to the effective controls, and establish a process for disposing information, the report pointed out.
While these potential healthcare data breaches are not intention, the possible exposure of PHI to unauthorized users can spell out serious consequences for providers.
For example, a healthcare system in California recently agreed to pay a total of $7.5 million in a settlement after PHI was reportedly made accessible via internet search engines between 2011 and 2012. A patient discovered her health information online and notified the provider.
The Verizon study revealed that all companies, including healthcare organizations, should be aware of be of potential attacks to their sensitive information. According to the report, companies should use two-factor authentication, periodically install system updates, encrypt sensitive and identifiable data, and provide security training for employees.
“This year's report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defense will deter cybercriminals who will move on to look for an easier target,” added Sartin.