DECEMBER 30, 2019 • RBS
As we revealed in our recent Data Breach QuickView report, in the first 9 months of 2019 medical service providers topped the list as the most compromised economic sector. Reporters have picked up on the trend, leading to a number of stories in the press highlighting security issues across the healthcare industry and the copious number of records compromised at a wide variety of service providers.
One such article detailing healthcare data breaches caught our eye. According to their source the total number of breached healthcare records stands at 38 million, which would be 11.64% of the US population. That’s an alarming statistic that is hard to ignore, especially when we consider the treasure trove of sensitive information that healthcare providers have on their patients. Providers can hold everything from basic contact details and insurance information to family histories, diagnosis, medications taken… and perhaps even a blueprint of your DNA. As we’ve argued before, you can replace your credit card, but you can’t get a new body.
This 11.64% statistic is designed to catch your attention over your morning coffee. It’s alarming and yet plausible. It’s also worth exploring further, because it may not be entirely representative of what is happening. We are not going to claim that the referenced article is wrong. Instead, what we are saying is that the figure may be even larger (or smaller) than reported.
The Building Blocks of the “Wall of Shame”
Better risk management requires better data. That’s core, here at Risk Based Security. In this case, that means understanding where breach data is coming from. The cited 38 million records exposed comes from one source, the U.S. Department of Health and Human Services Office for Civil Rights breach portal, commonly referred to as “The Wall of Shame.” This wall is composed of breaches of unsecured protected health information, but with the following stipulations:
- The breach must affect 500 or more individuals; and
- The incident occured at a ‘covered health entity’.
500 OR MORE INDIVIDUALS
If the incident did not affect 500 or more individuals, it is not published to the list. This means the list alone is not fully representative of the breaches occurring across the healthcare industry. There are many smaller data breaches that occurred throughout the year which are not included in the report, meaning the actual number of incidents is much higher.
COVERED HEALTH ENTITIES
A breach has to apply to a ‘covered health entity’ to make the list. That means the breach would have to occur at a health insurance plan, a healthcare provider, or healthcare clearinghouse.
At first glance that might seem logical, however medical service providers are not the only organizations that can have healthcare related data. Consider how much medical information can be collected – whether intentionally or not – in personnel files and communications between employees. Doctor’s notes, diagnosis details and injury reports can easily make their way into a company’s email system and files. Should those systems or files be breached, and the information is lost to malicious attackers, the breach most likely won’t make it to “The Wall”. So the total of 38 million healthcare records exposed would not necessarily include all breaches of healthcare data.
What Do We Mean by “Healthcare” Records?
Putting aside the under-reporting, we also need to ask ourselves what is meant by “healthcare records” in the first place. For most readers, when you see 38 million “healthcare” records lost, you associate that with actual medical data – such as condition and medical history. But with how the “Wall of Shame” is designed, that association is not entirely accurate. In reality, those 38 million records lost may well contain something other than sensitive diagnosis or treatment information.
Health and Human Services has made it clear that protected health information – which must be breached for an incident to be posted on the “Wall of Shame” – is more than a physical or mental health condition. It includes demographic information as well as “many common identifiers” such as name, address, date of birth and Social Security number.
Because “The Wall” is not clear as to the specific data types exposed in the breach, the compromised information will include a mix of data. Yes, if malicious attackers know 11.64% of all American’s medical diagnosis and medical history, something must be done now to rectify this. But if attackers have compromised the names and addresses of 11.64% Americans within Healthcare systems, it’s less of a call-to-arms.
The Reason It is Difficult
Making these distinctions is difficult and it is not our goal to discredit the Wall of Shame as a source of information or the article that referenced it. More information, and more transparency, is a positive. However, there is always more to the story when considering information from only one source. There are grey areas when it comes to breaches, complicated by the fact that what ends up posted on a public list can vary widely depending on who is doing the reporting and the reason the information is being published. Without understanding the regulation driving the disclosure or the selection criteria of the organization publishing the list, it is easy to make assumptions that lead to inaccurate conclusions.
Where To Go From Here?
As the reporting from the “Wall of Shame” shows, untangling the myriad of breach information sources is a time consuming and detail-intensive process. Companies rarely have the resources to dedicate to comprehensive data collection or analysis.
That’s where Cyber Risk Analytics (CRA) fills the gap. By combining a deep understanding of sources like the Office for Civil Rights with years of experience and expert analysis, CRA is able to deliver actionable intelligence for faster insights into the breach landscape and better vendor monitoring. Contact us for more information on how CRA can be put to work for you.