According to findings in a recent Verizon report, medical data breaches are not only occurring at hospitals and health clinics, but some 392 million health records have been accessed in 1,931 protected health information (PHI) breaches across 90% of the top-level NAICS industry codes represented. This includes everything from the real estate industry to professional services and construction, to manufacturing, retail, finance, educational, public entities, and many more.
These industries have seen health insurance information, personnel files or other data outside of traditional healthcare settings or industries stolen, cites the study. For example, some common sources of protected health information are employee records, including Workers’ Compensation claims, or information for wellness programs, which are not typically well protected. Still other organizations obtain PHI as part of managing their employee health insurance programs, which is a prime target of cyber criminals.
PHI data includes: name, address (including just Zip code), telephone and fax numbers, email addresses, medical insurance or Social Security numbers, any date more granular than the year, information about beneficiaries, other (financial or otherwise) account numbers, license, vehicle or certificate numbers, device or serial numbers for medical or otherwise salient device), any associated Internet Protocol (IP) addresses or URLs, all biometric data (finger, retinal or voice prints and/or DNA), full-facial photographic images or images that have unique identifying characteristic, and medical records.
“Many organizations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals.”
Portable devices including laptops, tablets and flash drives continue to be a favored target of criminals, and while encryption offers a safe harbor by protecting the data even when the asset is compromised, according to the Verizon report, this is still the leading cause of incidents year after year. Human error is the second most common cause for a breach, which can simply involve sending a medical report to the wrong recipient, losing a laptop, or mistakenly making private information public. The third cause of a breach is misuse that can result from an employee that abuses his/her access to the information. These three actions make up 86% of all breaches of PHI data.
In addition, the time to discovery most frequently falls into the months and sometimes years category, cites the Verizon report. For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.
The report emphasizes the need for all employers to implement an ongoing information security program that incorporates people, processes, and technology to address its enterprise-wide business operations and employs appropriate measurements to manage and improve their data security strategies. Additionally, responsive Cyber Liability coverage should be an integral component of one’s insurance and risk management strategy. Caitlin Morgan provides Cyber insurance to a broad spectrum of industries, including healthcare. We can provide you with custom policies for your insureds to address this increasingly pervasive risk. Give us a call at 877.226.1027.