Verizon Gives Insight Into 2014 Healthcare Data Breaches
In an effort to gain further insight into the ever changing landscape of data breaches, Verizon has released a report, covering 50 global organizations, 1,367 data breaches, 95 countries, and 63,437 security incidents in 2013.
The report (available for download) provides a month-by-month breakdown of breaches and security threats across the year. The report is dominated by retail-centered attacks (earning 2013 the distinction of “year of the retail breach”), but also provides industry specific insight, giving those interested in healthcare data breaches useful information.
Healthcare yielded a total of 26 security incidents (well below public information sector numbers at 47,479), with six in small organizations and one in a large organization. The remaining 19 were in organizations of undetermined size.
When confirmed data losses were considered, seven organizations in total reported incidents — four small organizations and the remaining three of unknown size. (Organizations of unknown size reporting was not uncommon in the survey.)
Frequency Of Incident
The report also provides an industry breakdown of the frequency of incident classification. For healthcare they are as follows:
- POS intrusion — 9 percent
- Web app attack — 3 percent
- Insider misuse — 15 percent
- Theft/loss — 46 percent
- Miscellaneous errors — 12 percent
- Crime ware — 3 percent
- Payment card skimmer — less than 1 percent
- Denial of service — 2 percent
- Cyber espionage — less than 1 percent
- All other — 10 percent
Lost And Stolen Assets
While not the most common security risk across the board, lost and stolen assets are addressed in the report, specifically because of their marked impact on industries like healthcare — specifically because in healthcare, reporting of these incidents are required by industry standards.
The survey found that the top-identified item involved in theft and loss is laptops. Following that are documents, desktop computers, and flash drives. The number one location for theft/loss was the victim work area (43 percent), then personal vehicles (23 percent, and personal residences (10 percent).
It is important to note that across industries, loss happens much more frequently than theft — by a 15-to-one difference — which leads one to infer that loss prevention measures in any industry will yield more benefit than efforts to control malicious threats. The report emphasizes the importance of minimizing the impact of lost materials before an incident does happen. It is also worth noting that the report emphasizes the type of data at risk in the case of theft and loss, with medical data coming in second, behind personal information.
In response, Verizon recommends the following controls.
- Encrypting devices
- Advising employees to keep sensitive devices in their possession at all times
- Establishing backup processes
- Locking devices down to immovable features
- Using technology that is not appealing
The report also addresses breaches due to miscellaneous errors, defining them as “Incidents where unintentional actions directly compromised a security attribute of an
information asset. This does not include lost devices, which is grouped with theft instead.” It also points out that not every error related incident means obvious human errors were involved. Again, public and healthcare sectors dominated the list of offending industries. The top threats in this category were misdeliveries, publishing errors, and disposal errors, accounting for a combined total of 86 percent of reported errors. Top assets affected were documents (49 percent), Web applications (14 percent), and desktops (9 percent).
Other Notable Healthcare Information
Healthcare came in with low reported rates of cyber espionage (2 out of a total 511 incidents reported across all industries). It also shows the industry as placing high emphasis on backups, skilled staff, and data loss prevention as critical security control methods.
Especially in light of moves toward the use of cloud computing and remote medicine, it is important for solutions providers to not only be aware of what types of security risks present true threats to their clients, but also to be able to adjust with coming changes the industry is experiencing.