News Feature | April 30, 2015

"Unencrypted Loss" Breach Level In Healthcare Drops 20 Percent

By Megan Williams, contributing writer

‘Unencrypted Loss’ Breach Level In Healthcare Drops 20 Percent

The managing editor of Healthcare IT News has given an overview of the state of HIT as informed by Verizon’s most recent security report, and it reflects what most in the industry already know … things are a bit all over the place.

The original report is available here, but Erin McCann offers some useful comparisons between this year’s, and last year’s reports. She starts off her evaluation listing the primary issues in HIT:

  • concerns about insider snooping
  • hackers
  • outdated tech
  • archaic encryption policies

The Report

This year’s report involved more organizations than Verizon has ever used, with them reporting an enormous 80,000 security incidents and 2,100 data breaches. Within healthcare, 234 incidents were examined, along with 141 data loss breaches.

The Findings

Despite some of the more negative news, the 2015 report does show that healthcare has improved when it comes to losing unencrypted devices. Last year’s percentage of security incidents as a result of lost unencrypted devices was 46, and for 2015 that number dropped to 26 percent — a change that indicates that the industry is finally warming up to the idea of encryption. Suzanne Widup, senior analyst on the Verizon RISK team weighed in but emphasized the fact that the industry has a long way to go, “It was surprising to see that go down a bit ... It's still a huge problem.”

The Other Side Of The Coin

While the industry is seeing improvements in encryption, things are worsening in other areas — perhaps most prominently in the area of insider misuse, including employee snooping and organized crime groups. Incidents jumped from 15 percent to 20 percent this year. Widup highlighted an increase in organized crime groups placing people in healthcare organizations to steal information for tax fraud.

Beyond that, snooping is also an ever-increasing issue. “We still see a fair amount of snooping. As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping.”

Other Issues

Healthcare is also seeing an increase in Web app attacks, with the rate more than doubling from 3 to 7 percent this year. Distributed denial-of-service (DDoS) attacks more than quadrupled up to 9 percent from 2 percent last year. Miscellaneous errors also took a jump to 19 percent of all security events according to the report.

Overall, Widup sees this not as an improvement, but more as a shift in the threat actors. “A lot of different industries have the same attack profile, even though they’re not really related. If you're going to be doing any kind of intel sharing, look at the other industries that actually have common attacks as the same one you're in because you might actually get better data from them than you do with industries you think are more closely related.”

Going Deeper

To read more about possible future encryption requirements in the industry, read “Will HIPAA Require Encryption?”