Health care data breaches: Top causes and preventive measures

In its annual Data Breach Investigations Report,  Verizon paints a picture yet of the threats, vulnerabilities, and actions that lead to security breaches, as well as how such breaches impact organizations suffering them. The report looks at almost 80,000 security incidents in 61 countries and across 20 industries, including health care. Although a tiny fraction—2.6 percent—of the total security incidents led to confirmed data loss, in the health care industry, data loss was confirmed in 60 percent of the 234 security incidents that took place in 2014.

The largest cause of health care security incidents was miscellaneous errors, which accounted for 32 percent of breaches. Health care had a higher percentage of miscellaneous errors than any other industry. Privilege misuse was the second-largest cause, leading to 26 percent of health care security incidents. The remainder of incidents were caused by physical loss or theft (16 percent), point of sale (12 percent), web applications (9 percent), cyber espionage (4 percent), and crimeware (1 percent).

Miscellaneous errors

Verizon characterized “miscellaneous errors” as those made by internal staff, and noted that the prime actors in over 60 percent of incidents were system administrators. There are three main categories of miscellaneous errors: (1) sensitive information reaching incorrect recipients; (2) publishing nonpublic data to public web servers; and (3) insecure disposal of personal and medical data. To lower the risk of these errors, the report suggests tracking all error-variety action incidents to understand how sensitive data can be affected by “goofs, gaffes, fat fingers, etc.”  Organizations should:

  • Track how often incidents related to human error occur.
  • Measure effectiveness of current and future controls, and establish an acceptable level of risk they are willing to live with.
  • Learn from mistakes. For example, the report asks “Was the root cause a combination of autocomplete in the ‘To:’ field and similarly named e-mail aliases?”

Insider misuse

Insider misuse is possibly the most difficult type of breach to prepare for, because it requires looking at “those in whom an organization has already placed trust—they are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose.” The report found that virtually every industry experiences privilege abuse, with the primary motivational factors being financial gain and convenience. Verizon noted that in these cases, the end user is the main culprit, and it recommended that organizations use a strategy of trust, but verify. For example, data can be used to track all insider use, because users leave footprints wherever they go on the network, and their activities can be captured. The report notes “the key is to collect and collate these data sources into a place where they can be analyzed,” and then to perform analysis to look for certain features of the data, such as:

  • volume or amount of content transfer, such as e-mail attachments or uploads;
  • resource access patterns, such as logins or data repository touches;
  • time-based activity patterns, such as daily and weekly habits;
  • indications of job contribution, such as the amount of source code checked in by
    developers; and
  • time spent in activities indicative of job satisfaction or discontent.

Physical theft/loss

Unlike other categories of breach, there are “no new tactics being used” by those who steal equipment. The majority of thefts (55 percent) occur at the workplace, followed by employee-owned vehicles as the next-most common theft location (22 percent). Although theft will likely always be a problem, the report notes that it can cause a significant impact on an organization depending on the sensitivity of the data on the involved assets, as well as the controls that are implemented to protect the data’s confidentiality and recoverability. Verizon recommends that organizations know who has what devices and track the volume and variety of devices lost to see if there’s a pattern of behavior to identify and prepare for. It also suggests providing an easy system to allow individuals to report lost or stolen devices, such as incentivizing reporting of incidents within a certain number of hours. Other preventive measures include full-disk encryption, locking down USB ports, password protection, and the applications that wipe data remotely.