Report: Healthcare state of security a mixed bag

Industry has a lot of work to do to improve security
By Erin McCann
07:45 PM
cloud security

Let’s face it: Security has never really been the healthcare industry’s strong suit. It’s been criticized for outdated technology, behind-the-times encryption policies, insider snooping woes and now, more recently, hacker misfortune. In Verizon’s 2015 Data Breach Investigations Report, analysts put healthcare security under the microscope and identified the industry’s biggest security threats, top security shortcomings and the actions it needs to take to get its house in order.

This year’s report set records for the number of organizations participating and security threats identified, with analysts classifying a staggering 80,000 security incidents and 2,100 data breaches. For the healthcare vertical, shared exclusively with Healthcare IT News, officials examined a total of 234 security incidents and 141 confirmed data loss breaches.

One of the most significant changes from last year's report? We’ll start with the good news: The industry actually made considerable progress with losing unencrypted devices. Consider the fact that last year, a whopping 46 percent of healthcare security incidents were due to theft or loss of unencrypted devices, this year’s 26 percent due to theft or loss represents a considerable improvement.

Suzanne Widup, senior analyst on the Verizon RISK team, said she'd like to think it's due to the healthcare industry finally taking encryption a little more seriously. "It was surprising to see that go down a bit," she told Healthcare IT News. Despite the marked improvement, though, 26 percent is still a sizable piece of the pie. "It's still a huge problem," said Widup.

And it’s not the only problem. The bad news (or we can call it the areas with the most opportunity for improvement) was that despite the healthcare industry improving one category, they saw significant upticks in others.

For one, security incidents caused by insider misuse (think employee snooping and organized crime groups) jumped from 15 percent in 2014 to 20 percent in 2015. This should be a cause for attention, said Widup.

For this category, Widup and her team observed primarily a surge in organized crime groups that position people in healthcare so they can swipe data for tax fraud.

Then there's the employee-prying problem. And it's not just a problem involving celebrities. "We still see a fair amount of snooping," added Widup. "As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping."

Healthcare organizations also reported a jump in web app attacks – seven percent, up from three percent in 2014 – and denial of service attacks – nine percent, up from two percent last year. Healthcare DoS attacks are more common than an all-industry average this year, which was pegged at 4 percent. Miscellaneous errors (think accidental employee actions like disposal errors and misdelivery) also saw a considerable bump from last year, representing 19 percent of all security events, Verizon officials pointed out.

So, with all these numbers in mind, does this represent an overall improvement in security for healthcare organizations? Are they finally doing what they should be in the security arena? Not so fast, said Widup. Rather, "we're just seeing a shift in some of the threat actors," she explained.

One of the more interesting findings in the healthcare vertical part of the report, as Widup pointed out, is when they drilled down and compared healthcare’s attack profile with other industries to identify similarities. The results were a bit of a surprise.

Turns out, healthcare’s attack profile has the most in common with performing arts/spectator sports; administration of human resources (think VA and government) and – this next part is not a joke – the personal and laundry services category.

"A lot of different industries have the same attack profile, even though they're not really related," said Widup. "If you're going to be doing any kind of intel sharing, look at the other industries that actually have common attacks as the same one you're in because you might actually get better data from them than you do with industries you think are more closely related."

Security Incidents by Pattern

Physical Loss/Theft


Insider Privilege/ Misuse


Misc. Errors


DoS Attacks


Web App Attacks



Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.