The Truth about US Healthcare Breaches: 2005- 2015

The problem with today’s threat landscape is that our perception can often be clouded by the latest headline-grabbing stories. To gain any real clarity into what’s actually happening and where the threats to our data lie, we need to pull back and look at broader trends. That’s exactly what data from the Privacy Rights Clearinghouse (PRC) has allowed Trend Micro to do in two new research papers that analyze publicly disclosed breaches from 2005 – 2015. You might be surprised at some of the findings.

Despite the sensational breaches of tens of millions of customer records at retailers like Target and Home Depot, and hugely damaging government breaches at the Office of Personnel Management, healthcare has actually suffered the most over the past decade.

Digging deeper

Healthcare organizations accounted for more than a quarter (26 percent) of all U.S. breaches during the studied time frame, according to the PRC data. That’s significantly more than education (16.8 percent), government (15.9 percent) and retail (12.5 percent), which rounded out the top four targeted industries. Now it might be that healthcare organizations have simply been required to report such incidents for a longer period of time due to HIPAA regulations, however, anecdotal reports would seem to suggest a deeper problem.

Of late, we’ve witnessed huge breaches at Anthem (80 million), Premera Blue Cross (11 million), and most recently Excellus (10 million). It’s perhaps no surprise that the Identity Theft Resource Center claimed healthcare accounted for the most breaches of any industry in 2014 (42.5 percent) – topping the list for a third consecutive year.

There has certainly been years of under-investment in security by healthcare organizations, the consequences of which are now beginning to surface. Then there’s the mass digitization of patient health records, which has greatly increased the attack surface of healthcare bodies. Additionally, consider how the industry is fragmented into distinct and often competing entities, affording cybercriminals plenty of gaps to exploit. Patient healthcare records have become increasingly attractive for hackers as they contain a huge amount of personal information about not only individuals, but their entire families, that can be exploited effectively in follow-up identity fraud.

Add all these factors together and you have something approaching a perfect data breach storm for the industry.

Preventing loss/theft

But that’s still not the whole story. According to Trend Micro’s analysis of the PRC data, Follow the Data: Analyzing Breaches by Industry, only seven percent of healthcare breaches over the past decade came from hacking or malware. The majority (60 percent) came from device or physical loss/theft. That’s not to say malware attacks weren’t ultimately more damaging to these organizations, but it’s important to note that by cracking down on staff carelessness or negligence, healthcare bodies could see a major reduction in the number of breaches they suffer.

This type of Information from the report can help healthcare organizations build a more effective security strategy for their data. Steps should include technical and non-technical measures such as:

Data Loss Prevention and device control/management tools Disk and device encryption to render any stolen or lost data useless Least privilege access policy to reduce the number of employees who can access highly sensitive data Education and training programs to drive home best practice data handling and the importance of this to the prosperity of the organization Review of removable media policy to minimize the risk of accidental or deliberate loss

Click here to read Trend Micro’s two reports: Follow the Data: Dissecting Data Breaches and Debunking the Myths and Follow the Data: Analyzing Breaches by Industry.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

from Trend Micro Simply Security http://ift.tt/1NjqjvZ
via IFTTT