When it comes to Protected Healthcare Information (PHI data) security is a big deal. AND for every consumer that would like to keep their personal information private.
What is Protected Healthcare Information (PHI)?
Protected healthcare information (PHI) under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual.
Your doctors, nurses, and other healthcare professionals need quick access to PHI data (social security info, insurance info, medical device info, etc.), but this is also the most sensitive data. So, how are they protecting it? Security practices have changed rapidly in healthcare over the past few years, but are they getting it right yet?
Healthcare Industry Update
Verizon recently released their 2018 Protected Health Information (PHI) Data Breach Report. They analyzed over 1300 security incidents where PHI was at risk. Here are some quick facts about the report:
- 58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an
- Medical device hacking may create media hype but the assets most often affected by breaches are databases
and paper documents.
- Ransomware is the top malware variety by a wide margin. 70% of incidents involving malicious code were ransomware
- Basic security measures are still not being implemented. Lost and stolen laptops with unencrypted PHI continue to be the cause of breach notifications.
Who is behind these attacks?
One of the most interesting findings in the report was the answer to the question, “Who is behind these attacks?” According to the report, focusing on incidents where data was either confirmed as disclosed or was at risk, internal actors are more common than external—which is unique to the healthcare industry.
In the fast-paced world of healthcare, we trust those in charge to take care of us, no matter what. Data security sometimes comes as an afterthought. When money is on the line and bad actors have easy access to our data, fraud can easily happen.
Here are the most common breach scenarios:
The report goes into detail on each breach scenario and the details on each. The healthcare industry is a highly targeted field and the security measure in place may need correcting. Over half (51%) of the employees were found misusing privileges. But, sometimes that wasn’t discovered for several years.
Being Forewarned is Being Forearmed
A great point from the wrap up from the report: One of the primary value adds of this report is that it’s based on analysis of real-world events. That means that it illuminates some of the main trouble spots you’re likely to encounter and being forewarned is forearmed. Knowing the areas of greatest concern allows an entity to dedicate more of its resources to address those concerns and to some extent mitigate the risk associated with them.