Breaches of PHI are not specific to the healthcare industry, according to a new study conducted by Verizon Enterprise Solutions. PHI data breaches are actually suffered by the majority of organizations; but they are just not as widely reported in other industry sectors.
The study looked at breaches of PHI that have been suffered by healthcare and non-healthcare organizations from 20 different industry sectors in 25 different countries. In total, 1,931 breaches of PHI were analyzed with those breaches resulting in over 392 million employee and patient records being exposed since 1994.
PHI may be created by healthcare providers and health insurers, but the majority of companies actually store these data. They can often be found in personnel files of employees, and numerous other locations. When claims for compensation are filed by workers, PHI is often included. PHI can also be found in employee program data such as wellness schemes. Regardless of industry sector, PHI can usually be found somewhere on a company’s network.
The data breaches studied by Verizon mostly affected U.S. organizations, not because those organizations were targeted more by cybercriminals, but because more data were accessible on those breaches. In the United States there are stricter reporting requirements than in most countries.
The Health Insurance Portability and Accountability Act has particularly strict reporting requirements. HIPAA-covered entities must report all breaches of PHI within 60 days of the discovery of a data breach, if more than 500 records were exposed. Media announcements must also be issued at the same time. As a result, healthcare data breaches often make the headlines, yet PHI breaches are frequently suffered in other industry sectors. According to Suzanne Widup, lead author of the Verizon report, 90% of the organizations studied breaches of PHI.
Hackers may be attracted to healthcare providers due to the sheer volume of data that can be obtained; however, it can be difficult to gain access to networks and devices used to store PHI due to the protections that are required by HIPAA Rules. Less well regulated industries can be much easier targets. Oftentimes hackers choose to attack non-healthcare providers because cybersecurity protections are not as robust. Hackers look for weaknesses and security vulnerabilities to exploit, not a specific industry or company in many cases.
What hackers want are data. Any company that stores the data hackers want is likely to be attacked at some point in time. Widup pointed out that there is a false sense of security in many organizations because of the belief that hackers are only targeting healthcare providers for PHI, and often only large organizations at that. In reality, breaches of PHI are suffered by organizations of all sizes, across all industry sectors, regardless of country. Cybercriminals just follow the data. It is not important where the data are located nor the size of the organization, only that PHI is easily accessible.
Similarly, there is a misconception that hackers are specifically looking for medical data, when in actual fact it is personal information that is often being sought. Personal data, especially Social Security numbers, can be used to commit tax fraud and financial fraud, which are both more common than medical fraud. Of course, if medical data can also be taken in an attack it will be. Medical information can easily be sold on the darknet.
Regardless of industry or the size of an organization, PHI must be protected. Protections must be put in place to keep employee PHI secure, not only confidential customer data. Fail to put appropriate protections in place and it is only a matter of time before breaches of PHI are suffered.