Healthcare has seen its share of egregious data breaches in the past year, especially with the launch of the Office for Civil Rights website with posts of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals.
However, healthcare may actually be the best industry at securing information, according to a study.
Healthcare accounted for the least amount of data breaches according to the Verizon and US Secret Service "2010 Data Breach Investigations Report." The industry represented just 3% of breaches, while "financial services" accounted for the most at 33%.
The full list of industries that accounted for the breaches in the study is:
- Financial services: 33%
- Hospitality: 23%
- Retail: 15%
- Manufacturing: 6%
- Tech services: 5%
- Business services: 4%
- Government: 4%
- Media: 4%
- Healthcare: 3%
- Other: 4%
"The targeting of financial organizations is hardly shocking; stealing digital money from information systems rather than vaults is basically just a less primitive form of bank robbery," the report states. "It represents the nearest approximation to actual cash for the criminal. Also, and perhaps more importantly, financial firms hold large volumes of sensitive consumer data for long periods of time."
Certainly, healthcare hasn't been perfectly secure either.
In February of 2009, CVS dumped millions of patients' prescription bottles in public Dumpsters without shredding the information and settled for $2.25 million with OCR and the Federal Trade Commission, and the same investigation found similar violations by Rite Aid, who agreed to pay $1 million to the same government agencies. OCR confirmed it is looking into the nation's largest pharmacy, Walgreens.
And of course, there's the list of 138 entities on the OCR website of entities who report breaches affecting 500 or more individuals. AvMed, Inc. leads that list with a breach that affected 1,220,000 individuals because of a stolen laptop.
As for what is behind data breaches, the Verizon/Secret Service report says 70% resulted from external agents, while only 11% implicated business partners. Nearly half of the breaches (48%) were caused by insiders, and 27% involved multiple parties.
On the "OCR 500" list, business associates were involved in 21% of the 138 cases.
Other notable numbers from the report include:
- 48% involved privilege misuse
- 40% resulted from hacking
- 38% utilized malware
- 28% employed social tactics
- 15% comprised physical attacks
- 98% of all data breached came from servers
- 85% of attacks were not considered highly difficult
- 96% of breaches were avoidable through simple or immediate controls
In all, the report surmises that the biggest problem may be stolen and/or weak credentials.
"The amount of breaches that exploit authentication in some manner is a problem," the report says. "In our last report it was default credentials; this year it's stolen and/or weak credentials. Perhaps this is because attackers know most users are over-privileged. Perhaps it's because they know we don't monitor user activity very well. Perhaps it's just the easiest way in the door. Whatever the reason, we have some work to do here. It doesn't matter how hardened our defenses are if we can't distinguish the good guys from the bad guys."
Verizon and the Secret Service also offered these data security tips:
- Restrict and monitor privileged users. "Insiders, especially highly privileged ones can be difficult to control but there are some proven strategies. Trust but verify," the report says. "Use pre-employment screening to eliminate the problem before it starts. Don't give users more privileges than they need (this is a biggie) and use separation of duties."
- Watch for "minor" policy violations. Actively search for such indicators rather than just handling them as they pop up. They could lead to major violations.
- Implement measures to thwart stolen credentials: Keep credential-capturing malware off systems. That's "priority number one." Consider two-factor authentication where appropriate.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.