Reporting from the HIMSS Connected Health Conference (CHC)
Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR).
It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”
Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.
When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. Many medical devices haven’t been designed that way–they are older, it’s an extra cost–and when connected to the internet, they become wide open to attack. “Benign”? Au contraire. [Essentia Health’s white hat hacking of its in-house devices last year]
What is to be done? Mr Sartin noted that the problem can be boiled down to essential vulnerabilities. Dr Widup’s view: start encrypting–even if you aren’t HIPAA-covered–add extra controls around anything facing the internet, make sure your anti-virus and malware software is up to date (but not crippling your computers!–Ed.)
If, like your Editor, you were surprised at Verizon’s concern in this area, their global Enterprise customers for phone and data extend across multiple industries, including healthcare. Their RISK team routinely investigates and mitigates data breaches for customers. The PHI Report takes in 25 countries, 392 million records and 1,931 incidents, from public sources as diverse as the US Secret Service, the Veterans Administration (VERIS database), HHS, Mishcon de Reya (legal), Privacy Rights Clearinghouse (one of our favorites) and the Dutch National High Tech Crime Unit. Verizon Enterprise release. Final release planned for December. Thanks to Janet Brumfield and Carlos Arcilia of their corporate communications area plus Tracy Donalson of Weber Shandwick.
Additional reading: search TTA on ‘hacking’, ‘medical device hacking’, and ‘data breaches’ for our extensive coverage and links to multiple sources on cybersecurity.