Saul Ewing Arnstein & Lehr LLP

Verizon recently released its 11th annual Data Breach Investigation Report (DBIR). The DBIR is a helpful tool for everyone in the health care sector to understand trends in cybercrime and most typical causes of security incidents and data breaches. According to the DBIR, there were more than 53,000 incidents and greater than 2,600 confirmed data breaches in the past year across all industry sectors reviewed (accommodation and food services; education; financial and insurance; health care; information; manufacturing; professional, technical and scientific services; and public administration). The DBIR defines an incident as, “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is defined in the DBIR as “an incident that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.”

Highlights from the DBIR include:

  • 24 percent of all breaches affected health care organizations (the number one industry affected);
  • 48 percent of breaches across all industry sectors featured hacking, and 30 percent of the breaches included malware;
  • 68 percent of the breaches took months or longer to discover; and
  • health care was the second-highest industry involved in social breaches (i.e., breaches resulting from social attacks such as phishing or pretexting), trailing only the public sector (e.g., government entities) with the education sector, third.

Specific to the health care sector, the DBIR reported:

  • the top three patterns of incidents related to miscellaneous errors, crimeware, and privilege (i.e., right to access data) misuse; the top three patterns of breaches related to miscellaneous errors, privilege misuse and web applications;
  • the “threat actors” with respect to incidents and breaches was almost evenly divided between external and internal actors. Health care was the only industry sector in the DBIR with more internal actors behind breaches than external actors;
  • the motivation of the perpetrator was overwhelmingly financial (75 percent) with “fun” being second (13 percent);
  • not surprisingly, the compromised data was largely medical and or personal;
  • social attacks were a part of approximately 14 percent of the health care incidents; and
  • asset theft (e.g., laptops and other portable devices) were responsible for 90 percent of the physical actions related to incidents and breaches in health care.

Three takeaways from the DBIR for participants in the health care sector are: (1) given the prevalence of mobile device theft, full disk encryption (i.e., encryption of all information on the disk) is an effective and low cost method to protect data; (2) ensure that policies and procedures are in place that mandate monitoring of PHI access; and (3) defend against malware, including ransomware which accounted for 85 percent of all malware in the health care sector.

The DBIR is noteworthy because health care industry participants – providers and payors – handle some of the most sensitive data of any industry and must ensure the proper privacy and security of that data at all times. HIPAA privacy and security measures are obviously an important part of those compliance efforts.