Physical theft and loss of laptops and other devices containing patient information is by far the most significant security threat to the healthcare industry according to researchers from Verizon who have released their 2014 Data Breach Investigations Report.
The report identified the top security threats across 20 industries by analyzing more than 1,300 confirmed data breaches and more than 63,000 reported security incidents. The report identified the following as the top three causes of security incidents in the healthcare industry in 2013.
1. Theft and loss. The researchers found physical theft and loss was the cause of 46 percent of security incidents in the healthcare industry in 2013. Healthcare was the only industry analyzed that had theft and loss as a major cause of security incidents, with the next closest being public administration with 19 percent of its security incidents caused by theft or loss.
According to Suzanne Widup, senior analyst and co-author of the report, theft and loss is a "sore thumb for the healthcare industry." The reason for the healthcare industry's huge problem with theft and loss is because it "hasn't embraced the solution to encrypt," says Ms. Widup. If encrypted, devices do not have to be reported as a data breach if lost or stolen, because patient data remains secure.
Along with encrypting devices, the report suggests encouraging employees to keep sensitive devices in their possession and in sight at all times and locking down devices containing patient information in the office.
2. Insider misuse. The researchers found insider misuse — any unapproved or malicious use of organizational resources — was the cause of 15 percent of security incidents in the healthcare industry in 2013. Although insider misuse was the source of security incidents for other industries as well, what makes the healthcare industry stand out are the methods outsiders use to "infiltrate the system" and gain access to patient information, says Ms. Widup. Many times individuals get jobs in the healthcare industry for the sole purpose of stealing patient information to commit identity theft or tax fraud, she adds.
In order to prevent insider misuse, Ms.Widup suggests creating an audit trail of the activity and information contained on all devices. Healthcare providers need to know who has accessed patient data, and an audit trail is the best means for tracking the information, she adds. Along with creating an audit trail, the report suggests using data loss prevention products to watch for data exfiltration — when patient data is transferred out of the healthcare organization — to prevent this type of security incident.
3. Unintentional actions. The researchers found incidents where unintentional actions directly compromised patient information was the cause of 12 percent of security incidents in the healthcare industry in 2013. This type of data breach occurs in many ways, including the following that commonly affect the healthcare industry:
- A healthcare provider stuffs one patient's information into another patient's envelope while doing a mass mailing.
- Patients' information is available to the public because a healthcare provider's website is missing security controls.
- Healthcare providers' decommission use of a computer or medical device without properly removing patient information.
In order to prevent this type of security incident, there needs to be quality control measures put into place, says Ms. Widup. The report suggests spot-checking a sample when sending out large postal mailings to ensure the information in the document matches the name on the envelope, and if any computer or device containing patient information is going to be sold or thrown away it needs to be coordinated by the organizations IT department.
More Articles on Data Security:
Healthcare Enrollees Vulnerable After Cybersecurity Breach
UPMC Reports 27,000 Victims of Data Breach
4 Steps to Mitigate Data Security Risks, Maintain HIPAA Compliance