There are three patterns of behaviour that account for 86% of all healthcare data breaches. And hacking? It’s not nearly as much of a problem as loss and theft of unencrypted devices continues to be. A new report from Verizon has just cracked open the information on healthcare data and how it’s breached, offering valuable insights into healthcare data protection.
In the 2015 Protected Health Information Data Breach Report, Verizon reviewed 392 million records from 1,931 data breaches from 2004 to 2014, looking at breaches that affected not only the healthcare industry, but also breaches that contained medical records or patient data, broadening the scope of the report substantially. The report found that PHI data breaches affected nearly every industry, though of course mostly the healthcare industry (followed by the public sector and finance). Many of the organizations breaching PHI may have no idea they have such data in their organization. Perhaps as troubling, time to discovery of data breaches falls into months—and sometimes years—so our true understanding of healthcare breaches is inherently flawed by under-reported figures.
The report highlights that the primary action of attack is theft or loss of portable devices (laptops, tablets, thumb drives) followed by human error and finally misuse / malicious insiders. Together, these three actions make up 86% of all breaches of PHI, compared to the nine patterns of actions that make up data breaches across all industries. In the past year, we’ve seen some major hacks in healthcare skew the focus toward hacking as a top priority, but this report re-enforces the need for accurate risk-based analysis and security planning. The healthcare industry has been wary of security measures that could affect performance of devices, as Dark Reading notes, but reports indicate that lost or stolen devices not used in patient care may still contain PHI or, just as importantly, credentials to systems that hold medical records.
With nearly half of the US population affected by breaches of PHI since 2009, it’s time healthcare organizations take control over their data. In our whitepaper, Best Practices for Healthcare Data Breach Prevention, we discuss many specific ways you can achieve data protection and compliance, including policy, process and layered-technology defences. Our whitepaper focuses specifically on the risks presented by “people” and by device theft and loss, two of the primary causes of data breaches of PHI.
Absolute DDS for Healthcare is a critical part of an effective layered security model, providing lifecycle security, risk assessment and risk response to help organizations prevent costly data breaches. With Absolute DDS, it’s all about the connection. By maintaining a two-way connection with each device, you have the insight you need to assess risk and apply remote security measures so you can protect each endpoint and the sensitive data it contains. Learn more about Absolute’s security solutions for healthcare here.