Welcome to the first Verizon Protected Health Information Data Breach Report (PHIDBR).
We’re the same team that has brought you the Verizon Data Breach Investigations Report
(DBIR) since 2008, and we are excited to revisit some of that data and bring in
some new incidents for this report.
The purpose of this study is to shed light on the problem of medical data loss—how it is
disclosed, who is causing it and what can be done to combat it. This is a far-reaching
problem that impacts not only organizations that are victims of these breaches, but also
doctor-patient relationships. And it can have consequences that spread more broadly
than just those directly affected by the incidents.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Reasons for the Popularity of Medical Record TheftOPSWAT
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry has become an increasingly valuable target for cyber thieves, and in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals' interest in the last few years?
This white paper covers various topics including industry data breach statistics, the value of credit card data versus medical record data, healthcare spending on cyber security and the impact of BYOD on industry vulnerability to data breaches. This white paper also highlights various solutions for protecting medical record data including multi-scanning, email security and the protection of endpoint devices.
As hospitals and health care systems continue to expand their digital collection and capabilities, surveys show that their security measures lag behind those of other industries. Hospitals’ weaknesses include their failure to assess the security of staffers’ mobile devices and of medical monitoring equipment that store patient identifiers as well as medical information. Physician groups represent another vulnerability because they often fail to do any security risk analysis.
This session will examine best practices that providers can implement to help keep data safe and hackers at bay.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Reasons for the Popularity of Medical Record TheftOPSWAT
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry has become an increasingly valuable target for cyber thieves, and in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals' interest in the last few years?
This white paper covers various topics including industry data breach statistics, the value of credit card data versus medical record data, healthcare spending on cyber security and the impact of BYOD on industry vulnerability to data breaches. This white paper also highlights various solutions for protecting medical record data including multi-scanning, email security and the protection of endpoint devices.
As hospitals and health care systems continue to expand their digital collection and capabilities, surveys show that their security measures lag behind those of other industries. Hospitals’ weaknesses include their failure to assess the security of staffers’ mobile devices and of medical monitoring equipment that store patient identifiers as well as medical information. Physician groups represent another vulnerability because they often fail to do any security risk analysis.
This session will examine best practices that providers can implement to help keep data safe and hackers at bay.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Health care providers have become prime targets of cyber criminals, since they hold a treasure trove of irresistible data, including Social Security numbers and medical records (think access to prescription painkillers). As cyber criminals become more sophisticated, medical practices are more vulnerable than ever.
In this webinar "Data Breach: It Can Happen To You," hosted by the Cooperative of American Physicians, Inc. (CAP), viewers will learn:
+ What a data breach is
+ Its economic impact
+ Why the threat is growing
+ Steps to take to protect yourself
+ The must-dos in the event of a breach
Watch the webinar here —> https://youtu.be/mqdMA-UZNy0
About Our Presenters:
Melvin Osswald, Vice President Program Underwriting, NAS Insurance — Ms. Osswald joined NAS in 2002 and specializes in health care, cyber liability, employment practice, directors and officers coverage. Ms. Osswald currently supports NAS’ reinsurance programs and oversees the underwriting and product development of Billing Errors and Omissions, Cyber Liability, Employment Practices Liability, and Directors and Officers programs created to address the new exposures facing health care providers. She has been featured as a guest speaker at various industry conferences addressing the evolving professional liability risks in health care, and served on the Steering Committee of the Southern California Chapter of the Professional Liability Underwriting Society.
Chris Reese, Vice President, Director of Underwriting, NAS Insurance — As part of NAS’ key management team, Ms. Reese provides insurance solutions for clients in the health care industry. She has held leadership positions on both the underwriting and retail broker sides of the business, and has worked in the London market for a reinsurance intermediary. Ms. Reese has been involved with cyber risk insurance for the health care industry since 2004, providing coverage to physicians, medical groups, and integrated delivery systems.
MORE SLIDESHARE PRESENTATIONS
http://www.slideshare.net/capphysicians/presentations
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: https://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Youtube: http://youtube.com/CAPphysicians
Google+: http://www.google.com/+Capphysicians
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...ijsptm
Patient information recorded in electronic medical records is the most significant set of information of the healthcare system. It assists healthcare providers to introduce high quality care for patients. The aim of this study identifies the security threats associated with electronic medical records and gives
recommendations to keep them more secured. The study applied the qualitative research method through a case study. The study conducted seven interviews with medical staff and information technology technicians. The study results classified the issues that face electronic medical records into four main categories which were availability, accessibility, privacy, and safety of health information.
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)
The Future of RCM in Healthcare OrganizationsCitiusTech
This document / whitepaper talks about how healthcare technology companies can leverage emerging technologies to derive insights to improve their Revenue Cycle Management process.
Health care providers have become prime targets of cyber criminals, since they hold a treasure trove of irresistible data, including Social Security numbers and medical records (think access to prescription painkillers). As cyber criminals become more sophisticated, medical practices are more vulnerable than ever.
In this webinar "Data Breach: It Can Happen To You," hosted by the Cooperative of American Physicians, Inc. (CAP), viewers will learn:
+ What a data breach is
+ Its economic impact
+ Why the threat is growing
+ Steps to take to protect yourself
+ The must-dos in the event of a breach
Watch the webinar here —> https://youtu.be/mqdMA-UZNy0
About Our Presenters:
Melvin Osswald, Vice President Program Underwriting, NAS Insurance — Ms. Osswald joined NAS in 2002 and specializes in health care, cyber liability, employment practice, directors and officers coverage. Ms. Osswald currently supports NAS’ reinsurance programs and oversees the underwriting and product development of Billing Errors and Omissions, Cyber Liability, Employment Practices Liability, and Directors and Officers programs created to address the new exposures facing health care providers. She has been featured as a guest speaker at various industry conferences addressing the evolving professional liability risks in health care, and served on the Steering Committee of the Southern California Chapter of the Professional Liability Underwriting Society.
Chris Reese, Vice President, Director of Underwriting, NAS Insurance — As part of NAS’ key management team, Ms. Reese provides insurance solutions for clients in the health care industry. She has held leadership positions on both the underwriting and retail broker sides of the business, and has worked in the London market for a reinsurance intermediary. Ms. Reese has been involved with cyber risk insurance for the health care industry since 2004, providing coverage to physicians, medical groups, and integrated delivery systems.
MORE SLIDESHARE PRESENTATIONS
http://www.slideshare.net/capphysicians/presentations
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: https://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Youtube: http://youtube.com/CAPphysicians
Google+: http://www.google.com/+Capphysicians
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...ijsptm
Patient information recorded in electronic medical records is the most significant set of information of the healthcare system. It assists healthcare providers to introduce high quality care for patients. The aim of this study identifies the security threats associated with electronic medical records and gives
recommendations to keep them more secured. The study applied the qualitative research method through a case study. The study conducted seven interviews with medical staff and information technology technicians. The study results classified the issues that face electronic medical records into four main categories which were availability, accessibility, privacy, and safety of health information.
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)
The Future of RCM in Healthcare OrganizationsCitiusTech
This document / whitepaper talks about how healthcare technology companies can leverage emerging technologies to derive insights to improve their Revenue Cycle Management process.
The industrial sector was always skeptical about the potentials of cloud computing and its capabilities to overcome the challenges of the manufacturing industry. Now the manufacturing sector have largely accepted cloud solutions that is depicting a paradigm shift for manufacturers striving for smarter IT enterprise and business processes.
Uttar pradesh solar rooftop policy 2014Headway Solar
Official Document of Uttar pradesh Solar Rooftop Policy 2014.
This document is not a work of Headway Solar (http://headwaysolar.com/) and it has been released here for the benefit of the general public.
Official Document of the Madhya pradesh solar policy 2012.
This document is not a work of Headway Solar (http://headwaysolar.com/) and it has been released here for the benefit of the general public.
Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.
This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.
Learn more at http://petrieflom.law.harvard.edu/events/details/2016-annual-conference.
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxkarlhennesey
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy ...
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxhoney690131
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy.
Quickly made presentation in two hours
Security Risk Management in Healthcare on Cloud using NIST guidelines
More details: (blog: http://sandyclassic.wordpress.com ,
linkedin: ie.linkedin.com/in/sandepsharma/)
It is indeed boom time for Big Data in Healthcare. According to CBE insights, Big Data startups garnered USD 400M in investors funding in first half 2014 as compared to USD133M in the whole of 2013.
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Why merging medical records, hospital reports, and clinical trial data is a v...Arete-Zoe, LLC
Medical privacy and breaches of personal health information (PHI) has been a hot topic for several years. For the clinical trial industry, the main concerns are decline in recruitment resulting from lack of confidence in data handling and instances of breaches that affect data integrity that adversely affect NDA and MA applications in major markets, which precipitates administrative action taken by national regulators in response to local incidents.
European legislators rely extensively on administrative measures implemented by national competent authorities. Although specific and detailed EU-level legislation exists, specific information about data breaches, cases and incidents, volume and type of affected data, root causes and analysis of consequences is largely missing. According to Howard and Gulyas (2014), this lack of organized event records is currently an empirical obstacle but provides opportunity to generate new knowledge about data and privacy protection that could bolster future trial recruitment.
In the U.S., summary details of breaches that involved more than 500 individuals are available at the OCR portal called Wall of Shame for everyone to analyze. Disclosure obligations in HIPAA made the problem of data breaches in healthcare obvious and protection of the privacy of patients has been an important part of physicians’ code of conduct. This offers lessons learned to mitigate systemic vulnerabilities that undermine trial participation.
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
Our ninth Data Breach Investigations Report (DBIR) pulls together incident data from 67 contributors around the world to reveal the biggest IT security risks you’ll face.
How safe is your web application?
How safe is your Network?
How safe is your e-commerce site which has customer card and banking details.
When did you last checked your Internal and external assets for vulnerabilities?
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
Adversaries and defenders are both developing technologies
and tactics that are growing in sophistication. For their part,
bad actors are building strong back-end infrastructures
with which to launch and support their campaigns. Online
criminals are refining their techniques for extracting money
from victims and for evading detection even as they continue
to steal data and intellectual property.
As cybercriminals increasingly profit from brazen attacks, your cyber-risk strategy is under the microscope. With the Cisco 2016 Annual Security Report, which analyzes advances by security industry and criminals, see how your peers assess security preparedness in their organizations and gain insights into where to strengthen your defenses.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
1. 90% of industries have
experienced a PHI breach.
2015 Protected
Health Information
Data Breach Report
2. Verizon Enterprise Solutions
2015 PHI Data Breach Report Contributors
As with the Data Breach Investigations Report (DBIR), we could not do this without the
contributions from our partners, and we want to extend our thanks to them.
3. 2015 Protected Health Information Data Breach Report
Contents
Introduction.....................................................................................................................................2
Methodology...................................................................................................................................3
Victim’s vitals (Demographics)................................................................................................. 4
Invasive organisms (Actors and Actions across the dataset)..........................................7
Patients losing patience (Data subjects and relationships)...........................................10
Your test results are in (Viewing the data from different perspectives)......................11
The “Nefarious Nine”..................................................................................................................18
Threat patterns under the microscope (Attack graphs)..................................................21
Triaging the outbreaks (Timeline and discovery)............................................................. 25
Diagnosis and prognosis..........................................................................................................29
1 Chief Snarkitect
Lead author
Suzanne Widup
Authors
Gabriel Bassett
Dave Hylender1
Bob Rudis
Marc Spitler
4. 2 Verizon Enterprise Solutions
Welcome to the first Verizon Protected Health Information Data Breach Report (PHIDBR).
We’re the same team that has brought you the Verizon Data Breach Investigations Report
(DBIR) since 2008, and we are excited to revisit some of that data and bring in
some new incidents for this report.
The purpose of this study is to shed light on the problem of medical data loss—how it is
disclosed, who is causing it and what can be done to combat it. This is a far-reaching
problem that impacts not only organizations that are victims of these breaches, but also
doctor-patient relationships. And it can have consequences that spread more broadly
than just those directly affected by the incidents.
For the purposes of this study, protected health information (PHI) is defined as personally
identifiable health information collected from an individual, and covered under one of the
state, federal or international data breach disclosure laws. PHI may be collected or
created by a healthcare provider, health plan, employer, healthcare clearinghouse
or other entity. The main criteria is whether there is a reasonable basis to believe
the information could be used to identify an individual. In the U.S., the disclosure of this
type of information would trigger a duty to report the breach under the Health
Insurance Portability and Accountability Act (HIPAA), the Health Information
Technology for Economic and Clinical Health Act (HITECH) and one or more
of the state laws.
Introduction
PHI redux
Even those who help defend it are often unaware just what makes up PHI
data. While you need to work with your legal staff on the specifics for each
jurisdiction, the following data elements associated with an individual—
alone or in combination—are interpreted as PHI by many laws:
• Name, address (including just postal code), telephone and fax
numbers
• E-mail addresses
• Medical insurance or Social Security/National Insurance numbers
• Any date more granular than year
• Information about beneficiaries
• Other (financial or otherwise) account numbers, license, vehicle or
certificate numbers
• (Medical or otherwise salient) device or serial numbers
• Any associated Internet Protocol (IP) addresses or URL/URIs
• All biometric data (i.e., finger, retinal or voice prints and/or DNA)
• Full-facial photographic images or images that have unique
identifying characteristics
• Medical records
5. 2015 Protected Health Information Data Breach Report 3
In this report, we focus on PHI and the many ways it can be disclosed. Our
dataset for this consists of 1,931 records taken from a combination of the
DBIR and the Vocabulary for Event Recording and Incident Sharing (VERIS)
Community Database (VCDB).2
The oldest record is from 1994, but most
incidents occurred between 2004 and 2014.
Instead of simply taking incidents where the industry came under the North
American Industry Classification System (NAICS3
) code for “healthcare” (62),
we chose a more comprehensive approach to capture incidents that would
indicate the most common ways PHI is disclosed. We selected records that
met any of the following criteria:
• The industry was “healthcare.”
• The data type lost was “medical records.”
• The data subject/victim relationship was “patient.”
In the DBIR, a data breach is “an incident that resulted in confirmed disclosure
(not just exposure) to an unauthorized party.”4
Since the reporting laws that govern
PHI—largely HIPAA and HITECH—do not have a requirement for confirmation of
disclosure, this report expands the definition to include the at-risk category.5
If the
data is at risk and in someone else’s hands, it triggers the requirement to report, so
we have included these incidents. What is an example of the difference between
at-risk data and confirmed compromises? Think of a laptop that is stolen—can you
confirm whether the data has been accessed? Probably not. As you no longer have
custody of the asset you cannot perform digital forensics on it. Is the data at risk?
Absolutely. Especially if the device is only protected with a password, which is
trivial to bypass.6
2 http://vcdb.org/
3 http://www.census.gov/eos/www/naics/
4 http://verizonenterprise.com/DBIR
5 http://veriscommunity.net/enums.html#section-attributes
6 In fact, you can do your own search for “bypass Windows password on laptop” or use this handy URL: http://bfy.tw/2UYL
Methodology
6. 4 Verizon Enterprise Solutions
Our dataset includes incidents from 25 countries, with 90% of the top-level
NAICS industry codes represented. There were over 392 million records
disclosed that we know of—since 24% of these organizations did not provide a
finite number of records involved, the total could be much higher.
There is a strong U.S. bias to the data (87% of incidents), since it includes U.S.
Department of Health and Human Services (HHS) incidents, as well as a significant
number of records from the U.S. Department of Veterans Affairs (VA), as reported
to Congress. Since the VCDB dataset focuses on publicly disclosed breaches, the
likelihood of a country appearing is related to the strength of its breach-reporting
laws. As countries implement tougher reporting requirements and the makeup of
our DBIR data contributors change, we may gain views into other countries where
we currently have no representation.
The U.S. bias does not mean that this report isn’t useful for organizations
elsewhere in the world. Our data has consistently shown that adversaries' tactics
are influenced by the data they are interested in, as well as the assets that process
and store the data—not the country in which the data resides. Attack methods are
not tied to latitude and longitude—human error, a major cause of breaches, is a
global phenomenon too.
Victims' vitals
(Demographics)
Our data has
consistently shown
that adversaries'
tactics are influenced
by the data they are
interested in, as well
as the assets that
process and store the
data—not the country
in which the
data resides.
Figure 1.
Countries represented in this study
7. 2015 Protected Health Information Data Breach Report 5
Unsurprisingly, healthcare is the top industry in this dataset—but remember,
falling under NAICS 62 was just one of the criteria for being included in this
dataset. It is interesting to see how many others are included as having met one
of the other two criteria—either disclosing medical data or having the relationship
with the data subject as “patient.” Only two of the top-level industries have no
incidents matching the criteria. This really illustrates the diversity of industries
that have lost PHI.
Industry (NAICS code) Total Small Large
Agriculture (11) 1 1 -
Mining (21) 2 1 1
Utilities (22) - - -
Construction (23) 1 1 -
Manufacturing (31–33) 11 2 5
Trade (42) 10 7 3
Retail (44–45) 43 15 17
Transportation (48–49) 8 2 4
Information (51) 2 - -
Finance (52) 113 42 54
Real estate (53) 4 3 1
Professional (54) 35 18 -
Management (55) - - -
Administrative (56) 24 14 5
Educational (61) 51 5 33
Healthcare (62) 1,403 573 339
Entertainment (71) 1 - 1
Accommodation (72) 3 1 1
Other services (81) 19 14 2
Public (92) 177 31 38
Unknown 23 - -
Why are so many other industries having breaches that include PHI? If you think
about it, it is surprising that more are not included. How many companies have
employees? How many of those employees are involved in workers’ compensation
claims? These are likely to include health information, so that is one source where
we’d expect to see this type of data collected.
What about companies that collect information for their wellness programs? Some
of that data qualifies as PHI as well. Still other organizations obtain PHI as part of
managing their employee health insurance programs. Whether they manage these
programs directly (as self-insured entities), or they are getting information from
Only two of the top-
level industries have
no incidents matching
the criteria.
Table 1.
Breaches by industry and
organization size (where
organization size is known)
8. 6 Verizon Enterprise Solutions
the partner that handles this type of benefit, these can be sources of PHI in
organizations that are not covered by HIPAA. Even though an organization is not
a HIPAA-covered entity, if PHI is disclosed, many of the existing laws will require
notification of a breach to any potentially affected party.
The fact that an organization is not in the healthcare industry or
isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of
a PHI data breach.
Apart from employees, many organizations collect PHI as part of doing business
with their customers. The insurance industry is a prime example, and one
where we have seen some very large data disclosures recently. The fact that
an organization is not in the healthcare industry or isn’t a HIPAA-covered entity
doesn’t mean that it’s not at risk of a PHI data breach.
While we show more incidents in smaller organizations, there were also many at
organizations where we are unsure of the number of employees. So what does
this tell us? Even after taking into account the incidents where the company
size was not provided, the remaining incidents show that PHI loss is not strongly
correlated with organization size.
PHI loss is
not strongly
correlated with
organization size.
9. 2015 Protected Health Information Data Breach Report 7
We’ll spend most of this report breaking out the data into different points
of view. Let’s start with a quick look at the Actors and their Actions.
Actors
Figure 2 shows us information about the perpetrators—those who are
actively causing these breaches. While they’re not all going to be “Bad Guys
Doing Bad Things,” you can see that overall there are quite a number of
External Actors doing dirty deeds.7
But the insider threat is alive and well, given the high number of Internal Actors.
Keep in mind that many of the insider actions are accidental—not everyone
here is malicious, as you’ll see in the Actions section.
Actions
The top three Actions related to PHI incidents are Physical, Error and Misuse.
Readers of the DBIR have seen the Physical Action manifest itself in several types
of incidents, including the deployment of skimming devices on ATMs and gas
pumps. In the PHI dataset, Physical Actions are primarily incidents of theft.
Threat Action categories are commonly associated with a specific type of Actor—
although there can be overlap and even collusion. For example, hacking is most
often an External Actor, but we have seen hacking by insiders too. Physical Actions
are also mostly externally committed, but employees have been known to steal
7 Are they doing them dirt cheap?
Invasive organisms
(Actors and Actions across the dataset)
Figure 2.
PHI dataset overview—Actors
The top three
actions related to
PHI incidents are
Physical, Error
and Misuse.
903
791
122
External
Internal
Partner
Incident count
10. 8 Verizon Enterprise Solutions
equipment. Social Actions frequently include phishing by External Actors,
but sometimes we see employees using their influence to get people to do
something they should not.
Data types
Earlier we presented a non-inclusive list of elements any one of which would, by law,
define data as PHI. Many of these elements group together into broader data types. The
following data types were disclosed as a result of the incidents that comprise this study:8
• Medical records—Likely what first comes to mind when one thinks of a PHI breach.
Includes, but is not limited to, diagnosis information, lab results, treatment plans, etc.
• Payment or payment card industry (PCI) information—Credit card information
• Personal or personally identifiable information (PII)—Personal information
(e.g., Social Security/National Insurance numbers, name, date of birth)
• Credentials—Unlike the preceding types, this information is not PHI in and of itself,
but compromised credentials often are the gateway to the theft of data of
other types.
In incidents where records contain more than one data type, we will use the
more specific of the two when categorizing them. In the common scenario where
a database record contains medical information as well as PII, the incident is
classified as “medical records.”
8 Other data types, such as banking information and sensitive internal data was also disclosed, but not with enough
frequency to include in this section.
110
215
50
677
362
524
Social
Malware
Hacking
Misuse
Error
Physical
Incident count
Figure 3.
PHI dataset overview—Actions
11. 2015 Protected Health Information Data Breach Report 9
Spending some quality time with Figure 4 reveals some interesting stories
about the various data types. Starting with credentials, we can see from the
bell-shaped thingy that high-volume credential breaches are the exception and
single credential losses are far more prevalent. We can infer that in most cases
credentials are not being harvested in bulk from databases, but stolen one at
a time via keyloggers, phishing campaigns or even guesswork. Credentials are
a gateway data variety that provide access to other targeted data such as PCI
information or PII.
Medical record and PII loss is far likelier to be described in the thousands or
greater. Acknowledging that there are plenty of Misuse incidents involving small
disclosures of these data types, medical records and PII lend themselves to larger
breaches. This is due to the nature of these records. They are often compromised
from databases and other assets that store data in bulk.
PCI data shows a wider distribution across records per incident. We see significant
areas of concentration in record losses totaling under 100, as well as between
1,000 and 10,000. This shows, regardless of the amount of payment card
transactions an organization processes, security practices around protection of
the point-of-sale (POS) environment is a necessity.
In the common
scenario where a
database record
contains medical
information as well
as PII, the incident
is classified as
“medical records.”
Figure 4.
Data types disclosed
101
102
103
104
105
106
107
108
Medical Records
(1,018 incidents)
PII
(194 incidents)
PCI
(37 incidents)
Credentials
(24 incidents)
Numberofrecordscompromisedinanincident(logscale)
Wider areas in the plot indicate
a higher concentration of incidents
with the same number of impacted
record counts
12. 10 Verizon Enterprise Solutions
Patients losing patience
(Data subjects and relationships)
Think about the last time you talked to your doctor. You were likely in a state
of undress, feeling vulnerable and discussing symptoms that you would not
want disclosed to the world at large. You placed your trust in this healthcare
professional (and their organization) to safeguard your privacy. Now, think how
you would feel if this sensitive information was released. Would it make you feel
less inclined to share your medical information? If so, you wouldn’t be alone.
Recent studies have found that people are withholding information—sometimes
critical information—from their healthcare providers because they are concerned
that there could be a confidentiality breach of their records. This is not only a
potential issue for the treatment of a specific patient; there are potential public
health implications. An unwillingness to fully disclose information could delay a
diagnosis of a communicable disease. This is especially true if the disease has
an attached stigma.9, 10
Recent studies have found that people are withholding
information—sometimes critical information—from their healthcare
providers because they are concerned that there could be a
confidentiality breach of their records.
This problem illustrates why it is so difficult to measure the true impact of
breaches. What many organizations fail to remember is that the data they
collect is about the relationship they have with those data subjects. As reports
of medical record losses continue to pile up, the trust between medical providers
and their patients is being eroded. The implications of this may be wider than
practitioners anticipate.
9 http://www.ncbi.nlm.nih.gov/pubmed/23975624
10 http://www.ncbi.nlm.nih.gov/pubmed/25059953
An unwillingness
to fully disclose
information could
delay a diagnosis
of a communicable
disease.
13. 2015 Protected Health Information Data Breach Report 11
Your test results are in
(Viewing the data from different perspectives)
We wanted to see what impact perspective had on our results, to make sure
we covered as many angles as possible. In the Methodology section, we talked
about the criteria for incidents to be included in this report. A quick refresher: If
the data subject was “patient,” the data disclosed was “medical records” or the
industry was “healthcare,” the incident was included in this study. This means
that we have incidents that may have different characteristics depending on how
you look at them.
To get a better idea of how incidents with each of these criteria differ, we separated them
into three distinct points of view:
• The patient perspective—based on the data subject’s relationship with the
organization that disclosed the data
• The medical records perspective—based on the type of data lost (if it was
medical records, even if other types of data were also lost)
• The healthcare industry perspective—based on the classification of the victim
organization (NAICS 62)
In looking at each of these perspectives, keep in mind that they offer a view into the data
based on their discrete, separately applied criteria. Some incidents will belong to more than
one perspective (for example, if a medical record is disclosed and the relationship to the
organization is “patient,” that incident will be included in both perspectives).
When looking at this data we found some common elements that were present
regardless of which of these three criteria resulted in the inclusion of the incident.
Commonalities
In all three of the perspectives we present in this section, the top three Actions
remain Physical, Error and Misuse. Only the number of incidents change—
the order or ranking does not. Figure 5 shows the three perspectives’ Actions
side-by-side (although the data is separately selected based on the criteria
of each perspective). For efficiency, they are presented together to make
comparison easier.
The Physical Action is typically something being stolen, as stated in the Action
section. If the device was lost, it would be classified as an Error Action. Thieves
are not only targeting electronic devices; many theft incidents involved paper
documents or even X-ray films. Both of these are especially concerning, as you
can’t (easily) encrypt dead trees (or radiographic film). The instances of X-ray film
theft have been thought largely to be for the recycle value rather than the data,
but that doesn’t excuse the organization from having to report a breach.11
In our section "The Nefarious Nine," we discuss how these actions are combined to
describe the data in the DBIR.
11 http://www.databreaches.net/raleigh-clinic-says-x-rays-were-stolen-may-have-included-patient-information
If the data subject
was “patient,” the
data disclosed was
“medical records”
or the industry was
“healthcare,” the
incident was included
in this study.
14. 12 Verizon Enterprise Solutions
The patient perspective
We identified 970 incidents where the relationship between the data subject and
the organization is defined as “patient”—the fewest number of incidents of the
three perspectives. There were over 296 million records disclosed in this view
(75% of incidents included a figure for number of records affected), and although
the relationship is “patient,” the data type lost is not always medical records.
Sometimes, PII is breached that does not include medical information.
For those still wondering why PCI data is represented in this study, it is due
to attacks on the POS systems that are processing co-payments in clinics
everywhere. Payment card data is attractive to financially motivated actors, and
POS compromises are not just a retail or accommodation industry problem.
Even when medical records are taken with malicious intent, it is frequently the
associated PII that is targeted and used to commit various types of financial crime,
including tax fraud and identity theft. The medical information may not be what
motivated the Threat Actor, but it provided a means to the end.
Now, when thinking of this relationship of “patient,” you would expect all of the
records to be disclosed from companies in the healthcare sector, amirite? Actually,
17 industries were represented, although healthcare had 70% of the incidents. The
public sector (which is where the VA hospitals land) had 10% of the incidents, and
the finance and insurance sector had 6%.
42 (2.9%)
32 (2.2%)
26 (2.7%)
105 (7.2%)
19 (1.3%)
17 (1.8%)
177 (12.1%)
103 (7.0%)
62 (6.5%)
275 (18.8%)
255 (17.4%)
251 (26.5%)
345 (23.6%)
444 (30.4%)
273 (28.8%)
517 (35.4%)
607 (41.5%)
318 (33.5%)
Social
Malware
Hacking
Misuse
Error
Physical
Incident count (% of perspective)
n Patient
n Medical records
n NAICS 62
Figure 5.
Actions by perspective
Even when medical
records are taken
with malicious intent,
it is frequently the
associated PII that is
targeted and used to
commit various types
of financial crime,
including tax fraud and
identity theft.
15. 2015 Protected Health Information Data Breach Report 13
The patient perspective (Figure 6) is the only perspective of the data where the
insider incidents outnumber the External Actors. The number of Actors (if you add
up the columns) exceeds the number of incidents—this is because VERIS allows
for the presence of more than one Actor (and even Actions, Assets or Attributes)
in an incident. Take the example of an External Actor recruiting an Internal Actor to
use their access to steal patient data. Clearly, there are multiple Actors involved,
and multiple actions—bribery by the External Actor and Misuse by the employee.
This is why, in a number of these cases, you will find that the total number of
incidents does not match the number of Actors or Actions.
The medical records perspective
When the record type disclosed is actually medical data, there were 1,523 incidents,
with over 217 million known records disclosed (with the number of records reported
for 79% of incidents). That’s more incidents than the previous perspective, but fewer
records disclosed. In this viewpoint, 18 industries are represented, with the healthcare
sector accounting for the majority of the incidents (Figure 7). This is the only perspective
that has representation of all of the industries that are present in the study. More simply
stated, every industry—with the exception of utilities (NAICS 22) and management
(NAICS 55)—lost medical data.
It was surprising to see that the healthcare industry was responsible
for the smallest number of known records disclosed, compared to the
other two perspectives and the overall PHI report dataset.
The healthcare industry perspective
The third lens we used to look at this dataset is when the top-level NAICS code is 62
(healthcare proper). In this viewpoint, there were 1,403 incidents and over 95 million
records disclosed (with 76% reporting). It was surprising to see that the healthcare
industry was responsible for the smallest number of known records disclosed, compared
to the other two perspectives, and the overall PHI report dataset. This is largely due to
some of the sizeable hacking breaches from other industries, but recent medical record
breaches have shown that the healthcare industry has become a target for attackers.
704
(52.1%)
718
(49.9%)
387
(41.4%)
569
(42.1%)
609
(42.3%)
479
(51.3%)
74
(5.5%)
105
(7.3%)
63
(6.7%)
External Partner
Incidentcount(%ofperspective)
Internal
n NAICS 62
n Medical records
n Patient
Figure 6.
Actors by perspective
The patient
perspective
(Figure 6) is the
only perspective of
the data where the
insider incidents
outnumber the
External Actors.
16. 14 Verizon Enterprise Solutions
As with other perspectives, Physical, Error and Misuse make the podium, but
hacking makes a strong fourth place—a more prominent showing than in the other
two viewpoints. As stated earlier, criminals follow the money, and there are several
areas where healthcare organizations collect payment, (e.g., co-pays, cafeterias,
gift shops). Healthcare organizations are subject to opportunistic attacks on their
POS, just like any other business accepting payment cards.
Nosing around the NAICS
In some of the data, we get more granular-level NAICS codes. This means we
can look into the healthcare NAICS (those beginning 62) and see how the industry
is divided—it spans a wide array of organizational types. We were interested to
see if there were differences in the incidents for, say, a hospital (NAICS 622) and
a nursing home (NAICS 623). Are the people attacking your local doctor’s office
(NAICS 621) the same people who are causing incidents in a social assistance
facility (NAICS 624)?
First, let’s look at the Actions for these incidents. If you are not familiar already
with VERIS,12
it is the framework we use to classify data—both from the cases
we investigate and from partners. It is very good at taking a narrative, such as a
forensic case report or a news article, and putting it into a standard format.
This means that we know we are making apples-to-apples comparisons,
regardless of the format the data initially came to us in.
12 VERIS stands for the Vocabulary for Event Recording and Incident Sharing, and we give it away for free.
Check out http://www.veriscommunity.net for more information.
33 (1.71%)Unknown
2 (0.10%)Transportation (49)
2 (0.10%)Transportation (48)
11 (0.57%)Trade (42)
4 (0.21%)Retail (45)
32 (1.66%)Retail (44)
4 (0.21%)Real Estate (53)
177 (9.17%)Public (92)
35 (1.81%)Professional (54)
19 (0.98%)Other Services (81)
2 (0.10%)Mining (21)
5 (0.26%)Manufacturing (33)
3 (0.16%)Manufacturing (32)
2 (0.10%)Information (51)
113 (5.85%)Finance (52)
1,403 (72.7%)Healthcare (62)
1 (0.05%)Entertainment (71)
51 (2.64%)Educational (61)
1 (0.05%)Construction (23)
1 (0.05%)Agriculture (11)
24 (1.24%)Administrative (56)
3 (0.16%)Accommodation (72)
Incident count (%)
3 (0.16%)Manufacturing (31)
Figure 7.
Medical records breaches by industry
17. 2015 Protected Health Information Data Breach Report 15
We’ll first look at the Actions to see what kinds of incidents organizations in each
of the three-digit NAICS codes experienced.
Classifying incidents using VERIS
The incident classification section of the VERIS framework translates the
incident narrative of “who did what to what (or whom) with what result” into
a form more suitable for trending and analysis. To accomplish this, VERIS
employs the A4 Threat Model developed by Verizon’s RISK Team. In the
A4 model, a security incident is viewed as a series of events that adversely
affects the information assets of an organization. Every event is comprised
of the following elements (the four A’s):
• Actor—Whose actions affected the asset
• Action—What actions affected the asset
• Asset—Which assets were affected
• Attribute—How the asset was affected
It is our position that the four A’s represent the minimum information necessary
to adequately describe any incident or threat scenario. Furthermore, this
structure provides an optimal framework within which to measure
frequency, associate controls, link impact and many other concepts
required for risk management.
1 (2.4%)
1 (2.4%)
20 (3.8%)
11 (1.5%)
1 (2.4%)
2 (4.9%)
18 (3.4%)
67 (9.2%)
5 (12.2%)
4 (9.8%)
39 (7.4%)
105 (14.3%)
6 (14.6%)
10 (24.4%)
133 (25.2%)
102 (13.9%)
9 (22.0%)
6 (14.6%)
149 (28.2%)
161 (22.0%)
19 (46.3%)
18 (43.9%)
169 (32.0%)
285 (38.9%)
Social
Malware
Hacking
Misuse
Error
Physical
Incident count (% of industry)
The healthcare industry is
divided into four separate
three-digit NAICS codes:
n 621 – Ambulatory healthcare
services (includes all types of
doctor and dentist offices)
n 622 – Hospitals
n 623 – Nursing and residential
care facilities
n 624 – Social assistance
Figure 8.
Actions by three-digit NAICS code
18. 16 Verizon Enterprise Solutions
Clearly, some of the sectors in this industry experienced far more incidents than
others. NAICS 621 and 622 combined accounted for 94% of the incidents between
them. NAICS 621 surpassed half of the total on its own. That said, looking at NAICS
621, you see that the problem with Physical Actions (primarily theft of physical
assets) far surpasses other Actions. For NAICS 622, the top three actions are
much closer to each other.
To answer the second question about the people perpetrating these breaches, we
can look at the Actors for each sector.
For our ambulatory care providers, External Actors are having a field day. Given
the preponderance of the Physical Attack vector in Figure 8, it stands to reason that
there will be many of these thefts committed by people who are external to the organization.
Hacking activity is also typically perpetrated by External Actors, and NAICS 621
shows this too.
Look at the Actors for the hospitals (622). While Physical Actions are most likely
external parties, Error and Misuse are most frequently Internal Actors. Hospitals
also have more Internal Actors committing breaches. Looking back at Figure 5,
they have close to parity between the Physical, Error and Misuse Actions.
n 621 – Ambulatory healthcare
services (includes all types of
doctor and dentist offices)
n 622 – Hospitals
n 623 – Nursing and residential
care facilities
n 624 – Social assistance
36 (5.4%)
32 (6.3%)
0 (0.0%)
3 (7.3%)
233 (34.8%)
259 (51.3%)
18 (47.4%)
14 (34.1%)
399 (59.6%)
212 (42.0%)
20 (52.6%)
24 (58.5%)
Partner
Internal
External
Incident count (% of industry)
Figure 9.
Actors by three-digit NAICS code
19. 2015 Protected Health Information Data Breach Report 17
“Error” is the second most common action for NAICS 622. Since most of these are
unintentional actions by employees, we wanted to take a closer look at the types of errors
occurring. In Figure 10, we see the most common errors for each sector. These errors are
prevalent across not just the PHI dataset, but also the DBIR. We’ll discuss them further
when we talk about the incident classification patterns in the next section.
13 (8.0%)
13 (8.7%)
1 (16.7%)
1 (11.1%)
22 (13.6%)
35 (23.5%)
4 (66.7%)
5 (55.6%)
59 (36.4%)
61 (40.9%)
1 (16.7%)
2 (22.2%)
60 (37.0%)
32 (21.5%)
0 (0.0%)
1 (11.1%)
Publishing
error
Misdelivery
Loss
Disposal
error
Incident count (% of industry)
n 621 – Ambulatory healthcare
services (includes all types of
doctor and dentist offices)
n 622 – Hospitals
n 623 – Nursing and residential
care facilities
n 624 – Social assistance
Figure 10.
Error variety by three-digit NAICS
code
20. 18 Verizon Enterprise Solutions
The “Nefarious Nine”
If you’ve been following the DBIR, you know that we can describe 96% of that
data (in the overall dataset) using just nine incident patterns. In this PHI dataset,
we find that we can describe 93% of the data with these same patterns. Just
three of the patterns describe 85% of the incidents.
First among the patterns is Lost and Stolen Assets. It is frustrating to see this
category return year after year because it’s one of the more easily solved
problems. Encryption (particularly of portable devices) offers a figurative “get out
of jail free” card since the data remains secure despite the loss of control over the
asset.13
In the vast majority of cases, this means the incident does not trigger a
duty to report under most breach laws. However, in healthcare there is legitimate
concern for any control that increases time to access data in an emergency
situation. That said, not all of these assets had a function where emergency access
is likely to be needed. We’ve seen researchers’ laptops holding significant numbers
of records being lost or stolen that would not endanger patients if the asset had
security controls. If there are areas where you can affect change in the risk profile,
13 Assuming the encryption passphrase is not written on a sticky note and lost along with the asset—don’t laugh;
we’ve seen that.
Figure 11.
The “Nefarious Nine” patterns
* “Everything Else” is a catch-all
category not included in the
Nefarious Nine proper.
** Denial-of-service incidents without
data disclosure are not included.
Even if organizations
only encrypt a subset of
their portable assets, it
will reduce the overall
risk of a breach on
those assets that are
not directly used for
patient care.
0 (0.0%)
1 (0.1%)
6 (0.3%)
25 (1.4%)
33 (1.9%)
68 (3.8%)
119 (6.7%)
357 (20.1%)
361 (20.3%)
807 (45.4%)
Denial of Service**
Payment Card Skimmers
Cyber-Espionage
Crimeware
Web Applications
Point of Sale
Everything Else*
Miscellaneous Errors
Privilege Misuse
Lost and Stolen Assets
Incident count (%)
21. 2015 Protected Health Information Data Breach Report 19
they should be explored. Even if organizations only encrypt a subset of their
portable assets, it will reduce the overall risk of a breach on those assets that are
not directly used for patient care.
Privilege Misuse—when people who have legitimate access to the networks and
systems of an organization use that access to do “bad things”—is driven by a
variety of motivations. A common scenario is the “snooping employee,” and the
most obvious case is curious staff members looking at medical records of a
celebrity or dignitary. External entities also employ strong financial incentives to
recruit company employees to gain access to the rich array of information found
in medical records. A good way to deter those who would be swayed to this life
of crime is to educate them that people often get arrested for such actions.14
Sanitized results of audits that catch people abusing their access are also useful to
include in your awareness program.
Errors can be difficult for an organization to combat, and usually boil down to the
need for checks along the way in processes that handle PHI. The most common
errors are:
• Loss—Loss or misplacement of an asset.
• Misdelivery—Whether it is documents in the mail or electronic information in
e-mail, it amounts to people getting data they weren’t supposed to.
• Disposal errors—Primarily paper documents, but also electronic devices
containing sensitive information.
• Publishing errors—When private information gets posted to an Internet-facing
system and then is indexed by search engines.
For lost or even stolen devices, it is critical to ensure the organization has an easy
way for people to report these incidents quickly. The sooner you know, the faster
you can react to the breach.
14 Don’t believe us? Take a look for yourself: https://github.com/vz-risk/VCDB/issues?utf8=%E2%9C%93q=label%3ABreach+PHI
3 (0.8%)
8 (2.3%)
11 (3.1%)
78 (22.1%)
253 (71.7%)
Other
Remote access
Noncorporate
Physical access
LAN access
Incident count (%)
Figure 12.
Detail on the Misuse vector
9 (1.7%)
47 (9.0%)
136 (26.2%)
143 (27.5%)
163 (31.3%)
Misconfiguration
Publishing error
Disposal error
Misdelivery
Loss
Incident count (%)
Figure 13.
Error Action top five
22. 20 Verizon Enterprise Solutions
Electronic misdelivery is more difficult to combat than paper documents. It is far
too easy to accidentally address an e-mail to the wrong person—or even an entire
e-mail distribution list. If the organization has data-loss prevention controls in
place that can hold e-mails containing sensitive information from going out of the
company while the “legit-ness”15
is verified, there is at least a hope of catching
these kinds of errors before they become an actual breach.
Most paper misdelivery incidents were from mass mailings where the envelope
addresses and contents got out of sync, and nobody checked samples before
sending it all off. This is a common problem in the public sector. It’s difficult to hold
a candle to the government when it comes to sending out large amounts of paper.
Disposal errors are sometimes the work of the third parties contracted to handle
the disposal of paper and electronics not living up to their contracts. When you
draft your legal requirements for the partnership, make sure to include penalties
that are commensurate with the severity of a breach.
Web Applications attacks have also seen a steady growth over the years,
whereas the Point of Sale attack appeared to not be an issue in 2013, but
has since enjoyed a mini-renaissance.
The nine patterns over time
Looking at the trend of the nine patterns over time (Figure 14) shows how the mix
has changed. The Internal Actor (Privilege Misuse) has been a constant companion
for organizations in this dataset, but you can see how it really took off in 2013. Web
Applications attacks have also seen a steady growth over the years, whereas the Point of
Sale attack appeared to not be an issue in 2013, but has since enjoyed a mini-renaissance.
You can see the dominance of the Lost and Stolen Assets pattern through the
years for this dataset. There hasn’t been much progress on mitigating that risk, and
it has seen a steady growth. The Miscellaneous Errors pattern also saw a jump in
2013, but has dropped some since then. However, we don’t think people are going
to stop making mistakes any time soon, so it is a safe bet that pattern will be in it
for the long haul.
15 Yes, that IS a technical term.
20142011 20122010 2013
n Web Applications (14)
n Privilege Misuse (70)
n Point of Sale (11)
n Miscellaneous Errors (86)
n Lost and Stolen Assets (131)
n Everything Else (21)
n Cyber Espionage (4)
n Crimeware (7)
n Denial of Service (0)
n Payment Card Skimmers (0)
Figure 14.
Number of breaches by pattern over
time
23. 2015 Protected Health Information Data Breach Report 21
Figure 15.
PHI dataset attack graph
Threat patterns under the microscope
(Attack graphs)
Attack graphs can seem a bit daunting if you’ve not seen them before. To the
beginner, they may even seem like a big knot of kill chains16
devoid of meaning.
Fear not! We will explain the unexplainable and perhaps even help you learn to
love them. If nothing else, you’ll no longer look at attack graphs and think,
“What a mess!”
First, gaze upon the attack graph for the PHI dataset.17
16 Or a plate of spaghetti. Who knew breach research can also make you hungry? Seriously, back to kill chains: http://
www.lockheedmartin.com/us/what-we-do/information-technology/cybersecurity/tradecraft/cyber-kill-chain.html
17 Does it remind you of that nail-and-string art from the 1970s? No, me neither—I’m not old enough to remember that.
B
A
n Start
n Action environment
n Action hacking
n Action malware
n Action misuse
n Action physical
n Action social
n Attribute availability
n Attribute confidentiality
n Attribute integrity
n End
24. 22 Verizon Enterprise Solutions
Attack graphs are really just illustrating how the perps are getting from point A to
point B (sometimes having to take detours through points C, D and E if the direct
route doesn’t work for them). What are points A and B? Point A is where an Actor
starts, and point B is their ultimate target—out the other end of the graph, clutching
your data in his claw-like hands. Are you with us so far? Okay, then looking at
Figure 15, that is just the collection of paths between the points taken.
Attack graphs are important for defenders. We all know incidents aren’t just a
single point in time, but if you just think about incidents as a chain of events,
you might miss the fact that attacks are more like a waltz around the dance floor18
than they are a straight line. You have to mitigate all paths an attacker can take—
not just the straight path from point A to point B. The idea is that if you make it
more difficult for the attacker to get to their ultimate goal, they’ll move along to
an easier target.
The paths in the attack graph are risks. They show the action taken and the target
that was successfully compromised. Listed in Table 2, you can see that the top 10
easiest-starting actions/ending compromises for attackers were:
1 Theft leading to loss of physical assets
2 Theft leading to breached medical records
3 Privilege abuse leading to breached medical records
4 Theft leading to breached personal information
5 Privilege abuse leading to breached personal information
6 Disabled physical controls leading to loss of physical assets
7 Disabled physical controls leading to breached medical records
8 Knowledge abuse leading to breached medical records
9 Phishing leading to altered behavior19
10 Data mishandling20
leading to breached medical records
Now that you know what the most common paths are, you need to tailor your mitigations
to make it harder for the attacker to successfully traverse your organization—throw some
roadblocks in their way! No organization is completely secure, but you want to put up as
many obstacles for the attacker to overcome as you can within your existing resources.
The biggest challenge is that you need to stop every way an attacker can get from that
first action to their final goal. That’s why information security is hard. Defenders must
stop every avenue of attack; attackers only have to find one path that still lets them
compromise their target.
The biggest challenge is that you need to stop every way
an attacker can get from that first action to their final goal.
Prioritized mitigations
We all want to get the most bang for our buck. The less we spend on mitigations,
the more we get to spend on holiday parties and quadcopters for the office.
The attack graph doesn’t just show us what the attackers do, it gives us an idea
of what mitigations make attacking toughest for the bad guys. Figure 16 shows
the mitigations in prioritized order according to how much more difficult it will
make things for the attacker. Mitigate the first two alone, and you’ve made your
organization over three times harder to be breached than one with no mitigations.
18 With spins and maybe even a dip!
19 “Alter behavior” is a VERIS term. It’s what happens when an attacker’s actions cause someone to do something
different. Normally, it’s something they shouldn’t do, like visiting a malicious link, which can then result in malicious
software being installed on their computer.
20 Data mishandling could be due to someone who loads data onto a portable drive to take home to work on over the weekend (against
policy). It could also be caused by someone who is sending sensitive data to their personal e-mail as a method of exfiltration.
Table 2.
Most likely risks
The idea is that if you
make it more difficult
for the attacker to get
to their ultimate goal,
they’ll move along to an
easier target.
25. 2015 Protected Health Information Data Breach Report 23
You can see from the figure above that when you take the first steps to make
your environment more complex to attack, you get a big effect. But after those initial
activities, you’ll get less and less return for your efforts. Sure, you could keep applying
mitigations, but the money might be better spent on ensuring those first few
controls are properly implemented, that your operations team is well resourced to
handle those breaches that do get through or maybe on that quadcopter for the
office. You know, for morale.
Figure 16.
Relative shortest path-length
increase from mitigation
Figure 17.
Theft leading to loss path
No mitigation
Physical: theft
Misuse: privilege abuse
Physical: disable controls
1X
2X
3X
4X
Mitigation Step
SecurityValue
Start
End
Availability
loss
Theft
26. 24 Verizon Enterprise Solutions
Practical use case
So how can you use attack graphs in your work? Let’s go over the most common
path we saw in the PHI dataset—theft of Physical Assets leading to loss of a
Physical Asset.
This is the shortest path in the attack graph for this dataset. To mitigate the attack
shown in Figure 17, you’d be looking to put controls in place that stop the theft
Action from successfully compromising the data on the asset stolen. So if we are
looking at a laptop theft, encryption is a common control. You won’t stop the theft
from happening, and there will still be an availability loss because you no longer
have the asset, but the data is no longer at risk.
Figure 18 shows the other ways attackers got to the “availability loss” node, and
illustrates that you have your work cut out for you, since you must mitigate each
path. However, in doing this type of analysis, you can see where the controls need
to be placed to mitigate each leg of the journey the attacker is taking.
If you want to do a few attack-graph what-if scenarios of your own, check out the
DBIR attack graph tool.21
Just watch the five-minute tutorial and you’ll be ready to
impress your friends and family with your attack graph prowess!22
21 http://dbir-attack-graph.infos.ec/
22 https://securityblog.verizonenterprise.com/?p=7038
Figure 18.
Paths leading to loss
Availability
loss
Theft
Disable
controls
Misuse
Mishandling
End
Start
27. 2015 Protected Health Information Data Breach Report 25
Triaging the outbreaks
(Timeline and discovery)
If a tree falls in the forest but there’s nobody around to hear it, does it still
make a sound? If you’re pwned and can’t see the alerts, do you still get a
HIPAA fine? That is what comes to mind when we think of all the tools and data
flooding into security operations centers (SOCs), but still see breaches going
undiscovered for months.
There is a school of thought among information security professionals that you
should simply work from the assumption that you’ve already been compromised. If
that is the premise, how long does it take for you to detect a breach? In the DBIR,
we showed what we call the “detection deficit,” which illustrated a period of time (in
this case, one week). Figure 19 shows the data for the overall DBIR dataset.
You can see that the bad guys (the top line) are (successfully) pwning people left
and right, while the good guys (the bottom line) are having far less success at
detecting these attacks (so many trees falling over with nobody to hear them). The
space between is the “detection deficit,” and while this past year showed us the
best news we’ve seen since we started recording (45% is our smallest deficit to
date), the news is not so great overall.
Figure 19.
2015 DBIR defender detection deficit
Time to compromise
Time to detect
67% 56% 55% 61% 67% 62% 67% 89% 62% 77% 45%
0%
25%
50%
75%
100%
%where“daysorless”
2004 2006 2008 2012 20142010
28. 26 Verizon Enterprise Solutions
In contrast, look at the same graphic for this report’s data (Figure 20):
An inherent weakness in the PHIDBR dataset is that since it relies so heavily on the
government reports and what reporters find interesting, we frequently don’t get timeline
information (the DBIR team would love to see the HHS Office for Civil Rights adopt VERIS).
But for those incidents for which we have data, you can see that this graphic looks
quite different from the DBIR. First, we see that 2014 had just a 10% deficit—
down from 52% the year before. The most common method of discovery of these
incidents was being found by an employee—which sounds great! However, when
we look closer, we find that the reason they are being discovered by the employee is
that they are the theft of physical assets. So yeah, if your laptop (thumb drive, etc.) gets
stolen, you tell your boss about it pretty fast. This isn’t the story we wanted to tell.
We’d rather devices that were stolen were already encrypted and thus wouldn’t
end up in this dataset, but in the healthcare industry in particular, unencrypted lost and
stolen devices are a big problem.
Figure 21 gives you the time to discovery of incidents over the past five years for
the PHIDBR dataset. You can see how the incidents have been discovered over
time, with most falling into the “months” category.
Figure 20.
The PHI defender detection deficit
Figure 21.
2015 PHIDBR incidents time to
discovery
In the healthcare
industry in particular,
unencrypted lost and
stolen devices are a big
problem.
Time to compromise
Time to detect
91% 57% 52% 10%
0%
25%
50%
75%
100%
2008 2014
%where“daysorless”
2010 2012
Years
25%
45.45%
12.12% 7.14%
18.75%
Months 70%
45.45%
60.61% 50%
31.25%
Weeks
5% 0% 9.09% 11.9%
0%
Days
6.06%
23.81% 31.25%
2010 2011 2012 2013 2014
%ofincidents
0%0%
29. 2015 Protected Health Information Data Breach Report 27
The good news here is that we are seeing that over time, the “years” values are
getting smaller. But there are still far too many incidents that are taking “months”
to discover. We were curious to find out whether those incidents that took years
to discover had anything in common. And yes, incidents in this dataset that took
years to discover were over three times more likely to be caused by an insider
abusing their LAN access privileges, and twice as likely to be targeting a server
(particularly a database). How does this compare to the DBIR dataset? We found
that while the DBIR incidents that took years to discover also tend to be Insider
Misuse incidents, they are more frequently against either paper documents or
media. The fact that both of these datasets (the PHIDBR and DBIR combined data
is well over 100,000 incidents strong) show that the incidents that take the longest
to detect are those being perpetrated by the organization’s trusted insiders.
This really speaks to the need for detective controls that can uncover this
type of behavior.
This trend of discovering breaches more quickly is illustrated in the above graphic,
Figure 22. The trend line is clearly sloping down, and you can see that the past two
years in particular have shown improvement.
Incidents in this dataset that took years to discover were over
three times more likely to be caused by an insider abusing their
LAN access privileges, and twice as likely to be targeting a server
(particularly a database).
In one memorable incident from the VCDB, a medical center had contracted a third
party to handle disposal of its paper documents. Unfortunately, those documents
ended up flying out of the vehicle as it drove down the road—to the extent that
witnesses described the scene as “looking like a blizzard of white paper had struck
the area.”23
Adding to this comedy of errors, an inmate work crew was dispatched
to pick up the papers as part of their regular road cleanup in the area—what could
possibly go wrong? Clearly, this is not how organizations would prefer to find out
23 http://www.wsbtv.com/news/news/local/medical-records-scattered-across-gwinnett-county-r/nbj8z/
The incidents that
take the longest to
detect are those being
perpetrated by the
organization’s trusted
insiders.
40%
50%
60%
70%
80%
90%
100%
2008 2009 2010 2011 2012 2013 2014
Figure 22.
Proportion of breaches undiscovered
for months or more
n Trend
n Actual
30. 28 Verizon Enterprise Solutions
about their incidents. This tree-based snowstorm would have been classified
as having a third-party discovery method. And as you can see from the top line
in Figure 23, it is the most common method for the PHI dataset (and is strongly
trending upward in the DBIR dataset as well).
Fraud detection is most commonly associated with fraudulent use of payment
card information that is tied to the Payment Card Industry’s Common Point of
Purchase (CPP) detection. Looking back at Figure 14, which presented the incident
patterns over time, we see the expected correlation between this detection method
and the rise and fall of POS intrusions. This plays less of a role in this report than
the DBIR, as the payment cards (overall) have lower representation in this dataset.
Law enforcement is also trending down as a discovery method.
Figure 23.
Breach discovery methods over time
0%
25%
50%
75%
100%
2008 20142009 2010 2011 2012 2013
n Fraud detection
n Internal
n Law enforcement
n Third party
31. 2015 Protected Health Information Data Breach Report 29
Diagnosis and prognosis
News outlets, and even researchers like ourselves, regularly pontificate about
devastating losses from breaches, such as the pilfering of the F-35 Lightning
II fighter plans, or the seemingly ever-present large-scale credit-card attacks.
Large-scale PHI-themed breaches in 2014 and 2015 have, however, helped put a
spotlight on this highly personal loss of information confidentiality.
Detailed health records make it easier for criminals to engage in both identity
theft and medical billing fraud—the former having direct impact on an individual or
family, and the latter increasing healthcare costs for governments, organizations
and individuals. Such private and potentially embarrassing (or worse) information
can also be directly used against an individual, especially those in more sensitive
positions. So what's the prognosis (doc)? As with any serious medical issue, there’s
good news and bad news.
The bad news24
By just examining the HHS data alone, we can see that PHI for half of the
population of the United States has been impacted by breaches since 2009.25
Furthermore, the FBI issued a warning to healthcare providers in early 2015 stating
that “the healthcare industry is not as resilient to cyber intrusions compared to the
financial and retail sectors, therefore the possibility of increased cyber intrusions is
likely.”26
And, as of January 1, 2014, all public and private healthcare providers must
have adopted and demonstrated “meaningful use” of electronic medical records
(EMR) in order to maintain their existing U.S. government reimbursement levels.
So, large PHI breaches have happened; more of our medical history is in electronic
form than ever before; and the U.S. government itself is concerned about the safety
of this information across all healthcare organizations. We’ve seen that criminals
have shown both a desire for this data and the ability to whisk it away—seemingly
at will. Unlike some measures one can take with a credit or debit card, there is
virtually nothing we can do to safeguard our own medical information except rely
on the individuals and organizations we’ve trusted to keep it secret.
As we’ve demonstrated in this study, it is not just the healthcare industry exposing
this data, given that nearly all industries were represented in the dataset. Even
those industries that have medical data but are not one of the HIPAA-covered
entities must do their part to safeguard this type of information for the good of all.
24 In a recent study, 75% of folks want the bad news first (who are we to argue with the stats?): http://psp.sagepub.com/
content/early/2013/10/30/0146167213509113.abstract#aff-1
25 169,700,764 records as of October 12, 2015
26 http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423
PHI for half of the
population of the
United States has been
impacted by breaches
since 2009.
32. 30 Verizon Enterprise Solutions
The good news
There are some bright spots to hold on to. Organizations with PHI are detecting
incidents faster than other industries and closing the detection deficit.
Enforcement (at least in the United States) in terms of fines and penalties is also
increasing,27
both in frequency and severity, which creates additional incentives for
a healthcare provider or insurer to focus more on cybersecurity.
An ounce of prevention
Since there isn’t much an individual can do, healthcare providers can use the
information in this report—and the DBIR itself—to better proactively defend patient
data from prying eyes. Just as a doctor might counsel a patient that there is no
“miracle pill” and that they should eat better, exercise more and maintain a proper
sleep schedule, the same is true for ensuring the confidentiality, integrity and
availability of these records. Assess processes, procedures and technologies that
affect the security of these records and prescribe a proactive treatment that will
help the “cyber immune system” better protect the data entrusted to them.28
27 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/
28 We shy away from prescribing generic “best” practices, but take a look at the “Wrap-up” section in the 2015 DBIR
(http://verizonenterprise.com/DBIR/2015/) for some potential “easy wins.”