By Diana Manos
A new Verizon study on worldwide protected health information (PHI) breaches found 87 percent of breaches occurred in the U.S.
The 34-page Protected Health Information (PHI) Data Breach Report analyzed 392 million actual security records and some 1,931 data breaches, including breaches at the Department of Health and Human Services and a “significant number of records” from the Department of Veterans Affairs.
The report is intended to “help readers understand and focus on lessons learned by going deep into who did what to whom, with what results,” said Bhavesh Chauhan, principal client partner for Security Solutions at Verizon Enterprise Solutions, in an interview with MeriTalk.
According to Chauhan, one of the most surprising findings in this year’s report was the large percentage of non-health-related industries that also experienced PHI breaches. Ninety percent of all the industries studied reported PHI breaches, with health care leading the pack. Other industries with the highest number of breaches included retail, the public sector, finance, and education.
The study also found that hackers don’t really care where they get the data. They are focused on going after particular information and the assets that process and store the data, with no intent to target any particular country.
Hackers want the data to engage in both identity theft and medical billing fraud—“the former having direct impact on an individual or family, and the latter increasing healthcare costs for governments, organizations, and individuals,” authors of the study wrote.
The report found the most common causes of breaches included:
- Loss or misplacement of an asset.
- Misdelivery of documents in the mail or electronically.
- Disposal errors of both paper and electronic information.
- Publishing errors that include posting private information to an Internet-facing system that then becomes indexed by search engines.
The report includes a number of attack graphs, which aim to “put threat patterns under the microscope.”
According to authors of the study, attack graphs are important because “attacks are more like a waltz around the dance floor than they are a straight line.”
“You have to mitigate all paths an attacker can take—not just the straight path from point A to point B,” the report said. “The idea is that if you make it more difficult for the attacker to get to their ultimate goal, they’ll move along to an easier target.”
Despite the somewhat grim findings, the report held a bit of good news. Organizations that handle PHI are detecting breaches faster than other industries.
Diana Manos is a MeriTalk contributing writer.
