The good news: While the annual Verizon-Secret Service 2013 Data Breach Investigations Report shows that hacktivist attacks and state-sponsored espionage are on the rise, overall, healthcare organizations aren't really prime targets for those kinds of attacks.
That's because perpetrators of these new hackers primarily want to steal intellectual property and government secrets, said Suzanne Widup, senior analyst on Verizon's RISK Team, which authors the data breach report.
Financially motivated cybercrime still makes up 75% of data breaches.
Across all industries, financially motivated cybercrime still makes up 75% of data breaches, according to the report, which draws statistical conclusions from 621 confirmed data breaches, as well as more than 47,000 reported security incidents. The finance and retail sectors led all 20 market sector categories in the 2013 report from Verizon, its sixth edition. Healthcare was represented by the information from six data breaches that was contributed to the report, but researchers also examined publicly reported information to develop their guidance for data breach prevention that the report contains.
The bad news: The industry has a variety of data breach prevention worries. Healthcare providers have a lot of catching up to do with other sectors, such as finance and manufacturing, not only in detecting and stopping leaks in their networks in order to protect patients but also in lining up with new compliance mandates, such as the HIPAA omnibus rule.
In breaking down her team's data breach statistics, Widup said it's still difficult to determine whether healthcare breaches are on the rise or not. New state and local laws are forcing hospitals to report breaches for the first time, and their new awareness of the security vulnerabilities in patient data is helping hospitals to detect problems that might have gone unnoticed before.
Most threats to healthcare data are still external, the Verizon data seems to indicate, as opposed to the internal threats posed by disgruntled employees or well-meaning workers who aren't well-versed in privacy policies. While such internal threats still need to be addressed and mitigated, devices such as thumb drives and laptops with unencrypted data seem to be where healthcare providers are getting into the most trouble.
Anecdotal reports of medical identity theft are on the rise, buthealthcare data thieves are still looking for credit card numbers and other data that can be used to steal or be resold to other thieves. "That's a constant with any organization that has these kinds of devices," Widup said. "Healthcare breaches act a lot like the retail breaches. The people going after [illegally obtained data] are financially motivated. They're looking for credit cards and social security numbers they can turn into cash in very short order. Basically, [data thieves] have a set vulnerability that they [know]; they're a hammer and they're looking for a nail."
Prevention all comes down to the risk assessment process, Widup said. If healthcare providers can get that right, they can help mitigate their biggest potential problems, first, then tackle lesser issues that still amount to threats to patient data.
Because it's required by HIPAA and meaningful use, risk assessment should be on healthcare leaders' radar anyway. Healthcare providers get value from risk assessment because they're customizing their security plans to the facility's specific risks. "Evidence-based risk assessment is very important," Widup said. "If you're not doing it on what your actual risks are, then you're kind of taking a stab in the dark at what you think [the data security risk] might be without having evidence of what it is."