We’ve re-examined the data within our Data Breach Investigations Report (DBIR) series (2016 and 2017) to focus in on the healthcare sector’s unique profile and security challenges, and particularly the use/abuse of protected health information (PHI). Our 2018 Protected Health Information Data Breach Report (PHIDBR) is underpinned by 1,368 incidents from this caseload covering 27 countries.
Our major findings are as follows:
58 percent of incidents involved insiders. Healthcare is the only industry in which internal actors are the biggest threat to an organization. Often they are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent).
70 percent of incidents involving malicious code within the healthcare sector were ransomware infections. Mirroring the ongoing use of ransomware across all business sectors, as we reported in our 2017 Data Breach Investigations Report and the cyber-attacks Europe witnessed mid-2017.
27 percent of incidents were related to PHI printed on paper. Medical device hacking may be in the news, but it seems the real criminal activity is found by following the paper trail. Whether prescription information sent from clinics to pharmacies, billing statements issued by mail, discharge papers physically handed to patients, or filed copies of ID and insurance cards, printed documents are more prevalent in the healthcare sector than any other. The very nature of how PHI paperwork is handled and transferred by medical staff has led to preventable weaknesses – sensitive data being misdelivered (20 percent), thrown away without shredding (15 percent), and even lost (8 percent).
21 percent of incidents involved lost and stolen laptops containing unencrypted PHI. More employee education is required to ensure that basic security measures are put in place.