With the evolving threat landscape, cyberattacks happen every day to every type of enterprise – with disastrous results. Left unchecked, hackers can invade your IT infrastructure, steal your data, and ruin your reputation. Bryan Sartin, managing director of the Verizon RISK Team, Verizon Enterprise Solutions, discusses how businesses can prepare for the unexpected and respond quickly and effectively by partnering with experienced professionals and robust solutions. Sartin is responsible for handling incidents of a civil and criminal nature for entities both on and o Verizon’s network, as well as cyber intelligence functions. As founder of Verizon Investigative Response, one of the world’s largest nonmilitary IT investigations groups, he leads an operation that handles more than 350 externally facing cyber investigations in 40-plus countries each year and has been retained to investigate many of the world’s most damaging and publicly visible data breaches on record. Sartin also co-authored the Verizon Data Breach Investigations Report, an annual joint study into the contributing factors behind security failures and a great example of public/private partnership on intelligence sharing specific to cyber.
How is the evolving cyber threat landscape affecting protected health information?
The hard truths are that major data breaches are in the news every day. They happen fast and are very complex due to the ever evolving threats, actors and motivations. Cybercrime impacts the entire spectrum of industries and we discovered that 92 percent of data breach victims found out about the breaches from outside third parties. And from the point of entry by the cybercriminals to discovery of these breaches takes about seven months. This means that the bad guys are penetrating computer systems at a greater rate and have access to data for longer periods of time.
Specifically, these factors hold true as well for protected health information cyberattacks. From the research produced from the Verizon 2015 Protected Health Information (PHI) Data Breach Report, stolen health information is a much more widespread issue than previously thought, affecting 18 out of 20 industries examined. This translates to 90 percent of industries having health data breaches. This is a staggering and sobering reality for organizations today.
Sadly, nearly half of the U.S. population has been impacted by breaches of PHI since 2009, notes the report. Furthermore, the FBI issued a warning to healthcare providers in early 2015 stating that “the healthcare” industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is “likely.”
Yet, most organizations outside of the healthcare sector do not realize they even hold this type of data. Common types of PHI are employee records (including workers’ compensation claims) or information for wellness programs and are generally not well protected. These complex fast-acting threats are triggering organizations to re-examine their risk and approach to this growing problem.
How are PHI breaches different from other breaches?
PHI breaches are very unique in many ways as we discovered during our research with the Data Breach Investigations Report series. It triggered us to examine this industry issue more closely and separately due to its serious impact to the greater good. Our first 2015 PHI Data Breach Report was created and provides a detailed analysis of confirmed PHI breaches involving more than 392 million records and 1,931 incidents across 25 countries.
What we learned was that the threat actors (internal and external) for PHI are nearly equal in number within 5 percentage points, which means there is a lot of insider misuse. Additional findings identify that medical record data is often taken with malicious intent; however the intent is usually focused on the personal identifiable information (PII), like credit card and social security numbers to perpetrate financial crimes and tax fraud.
Additional differences specifically identified relate to the breach attack origin. The attack can be a theft of a portable device (laptop, tablet, thumb drives), human error sending medical information to the wrong destination or simple misuse of employee access information. These three actions make up 86 percent of all PHI breaches.
In addition, the time to discovery most frequently falls into the months and sometimes years category. Incidents taking years to discover were three times more likely to be caused by insiders abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.
What steps are required to mitigate risk and protect your assets?
It’s a cold reality that all businesses must face: Cyber-attacks happen. And they happen often, threatening data of all types. Anticipating when an attack might occur and assessing whether you’re prepared to defend against it can make all the difference to reduce risk and financial impact.
To do this effectively, you have to be prepared and vigilant. Your access and data standards, environmental testing and a rock solid incident response plan have to be continually governed and tested. The threat actors are relentless in their attempts to find a soft spot to exploit. It is very difficult to eliminate all risk factor as no one has endless capital allocations to cover all risk. The best-defended businesses are those that prepare for the unexpected and are supported by professionals and solutions, which protect them for the short term and long haul. Customers need to have the right access, expertise, partners and protection, when they need it the most.
To help address these issues, Verizon security experts offer insights and recommendations in the report on how to best protect data in addition to illuminating the fact that PHI data is contained in many more places than organizations realize. Verizon security experts are on the ready to assess and support you in this fight against cybercrime.
How does Verizon balance the challenge of making PHI accessible for care collaboration and still secure from breaches?
Verizon layers logical security measures over physical security capabilities to meet the security requirements of today’s enterprise organizations. We offer a robust suite of HIPAA-ready solutions—products and services that maintain applicable business associate security level requirements. While our customers assume responsibility for their own HIPAA compliance, we support them with their compliance objectives with our HIPAA-ready solutions under a Business Associate Agreement (BAA). HIPAA regulated entities can leverage applicable Verizon HIPAA-ready solutions to process, maintain, and/or transmit electronic protected health information (ePHI).
Visit us at booth #4454
About Verizon
Verizon Communications Inc. (NYSE, Nasdaq: VZ) employs a diverse workforce of 177,700 and generated nearly $132 billion in 2015 revenues. Verizon operates America’s most reliable wireless network, with more than 112 million retail connections nationwide. Headquartered in New York, the company also provides communications and entertainment services over America’s most advanced fiber-optic network, and delivers integrated business solutions to customers worldwide.
For more information, visit www.verizonenterprise.com/industry/healthcare.
