PHI Breaches: Not Just Healthcare Sector's ProblemExpert Provides Sneak Peek of New Verizon Report Findings
An upcoming Verizon report on health data breaches illustrates that the data is at risk at organizations outside of the healthcare sector, and not just at hospitals, clinics, insurers and their business associates, says security expert Suzanne Widup of Verizon Enterprise Solutions.
The report, to be released in early December, quantifies 1,931 breaches of protected health information involving 392 million records since 1994, Widup explains in an interview with Information Security Media Group. And those breaches span a broad range of organizations.
Many organizations retain health-related information about their employees, she explains. "Often times it's workmen's compensation data, or a lot of organizations have wellness programs where they are going to have [employee] medical information being gathered ... or they are organizations that are self-insured for their employee benefit programs, or are farming [those programs] out to a partner and are getting that [health related] information from the partner," she notes.
Of 20 sectors that Verizon examined for its report, 90 percent had breaches involving PHI, showing the need to improve prevention and detection of such intrusions across all industries.
The Value of PHI
"Since medical information is such a rich source of information for that kind of criminal activity, [cybercriminals] are really going after that data, whether it's kept in the healthcare sector or is collected in other industries," Widup says.
Personally identifiable data that's under the umbrella of PHI - including names, addresses, Social Security numbers, dates of birth, as well as medical record numbers and diagnoses - can be found in many organizations, she says.
In the interview (see audio link below photo), Widup also discusses:
- Other preliminary findings from the upcoming Verizon 2015 Protected Health Information Data Breach Report, which examined breach information from a variety of sources, including the Department of Health and Human Services, the U.S. Department of Veterans Affairs, the U.S. Secret Services, the CERT Insider Threat Center and Kaspersky Lab;
- Why healthcare organizations need to do a better job of preventing breaches involving the loss and theft of unencrypted mobile devices;
- Why malicious insiders are nearly equal to hackers in the threat they pose to the healthcare sector.
As a senior analyst at Verizon, Widup is a co-author of the company's Data Breach Investigations Research reports, including the upcoming Verizon report on PHI breaches. Before joining Verizon, Widup held security-related positions at several other organizations, including Pacific Gas and Electric Co., Safeway and Oracle. She is also president and a founding member of the Digital Forensics Association.