Report: Healthcare state of security a mixed bag
April 14, 2015 in Medical Technology
Let’s face it: Security has never really been the healthcare industry’s strong suit. It’s been criticized for outdated technology, behind-the-times encryption policies, insider snooping woes and now, more recently, hacker misfortune. In Verizon’s 2015 Data Breach Investigations Report, analysts put healthcare security under the microscope and identified the industry’s biggest security threats, top security shortcomings and the actions it needs to take to get its house in order.
This year’s report set records for the number of organizations participating and security threats identified, with analysts classifying a staggering 80,000 security incidents and 2,100 data breaches. For the healthcare vertical, shared exclusively with Healthcare IT News, officials examined a total of 234 security incidents and 141 confirmed data loss breaches.
One of the most significant changes from last year’s report? We’ll start with the good news: The industry actually made considerable progress with losing unencrypted devices. Consider the fact that last year, a whopping 46 percent of healthcare security incidences were due to theft or loss of unencrypted devices, this year’s 26 percent due to theft or loss represents a considerable improvement.
Suzanne Widup, senior analyst on the Verizon RISK team, said she’d like to think it’s due to the healthcare industry finally taking encryption a little more seriously. “It was surprising to see that go down a bit,” she told Healthcare IT News. Despite the marked improvement, though, 26 percent is still a sizable piece of the pie. “It’s still a huge problem,” said Widup.
And it’s not the only problem. The bad news (or we can call it the areas with the most opportunity for improvement) was that despite the healthcare industry improving one category, they saw significant upticks in others.
For one, security incidences caused by insider misuse (think employee snooping and organized crime groups) jumped from 15 percent in 2014 to 20 percent in 2015. This should be a cause for attention, said Widup.
For this category, Widup and her team observed primarily a surge in organized crime groups that position people in healthcare so they can swipe data for tax fraud.
Then there’s the employee-prying problem. And it’s not just a problem involving celebrities. “We still see a fair amount of snooping,” added Widup. “As organizations are putting in better monitoring and they’re reviewing access logs, they’re finding more cases of snooping.”
Healthcare organizations also reported a jump in web app attacks – seven percent, up from three percent in 2014 – and denial of service attacks – nine percent, up from two percent last year. Healthcare DoS attacks are more common than an all-industry average this year, which was pegged at 4 percent. Miscellaneous errors (think accidental employee actions like disposal errors and misdelivery) also saw a considerable bump from last year, representing 19 percent of all security events, Verizon officials pointed out.