[BreachExchange] Breaking Down Healthcare’s “Wall of Shame”

[Destry Winant]

https://www.riskbasedsecurity.com/2019/12/30/breaking-down-healthcares-wall-of-shame/

As we revealed in our recent Data Breach QuickView report, in the
first 9 months of 2019 medical service providers topped the list as
the most compromised economic sector. Reporters have picked up on the
trend, leading to a number of stories in the press highlighting
security issues across the healthcare industry and the copious number
of records compromised at a wide variety of service providers.

One such article detailing healthcare data breaches caught our eye.
According to their source the total number of breached healthcare
records stands at 38 million, which would be 11.64% of the US
population. That’s an alarming statistic that is hard to ignore,
especially when we consider the treasure trove of sensitive
information that healthcare providers have on their patients.
Providers can hold everything from basic contact details and insurance
information to family histories, diagnosis, medications taken… and
perhaps even a blueprint of your DNA. As we’ve argued before, you can
replace your credit card, but you can’t get a new body.

This 11.64% statistic is designed to catch your attention over your
morning coffee. It’s alarming and yet plausible. It’s also worth
exploring further, because it may not be entirely representative of
what is happening. We are not going to claim that the referenced
article is wrong. Instead, what we are saying is that the figure may
be even larger (or smaller) than reported.

The Building Blocks of the “Wall of Shame”

Better risk management requires better data. That’s core, here at Risk
Based Security. In this case, that means understanding where breach
data is coming from. The cited 38 million records exposed comes from
one source, the U.S. Department of Health and Human Services Office
for Civil Rights breach portal, commonly referred to as “The Wall of
Shame.” This wall is composed of breaches of unsecured protected
health information, but with the following stipulations:

The breach must affect 500 or more individuals; and
The incident occured at a ‘covered health entity’.

500 OR MORE INDIVIDUALS

If the incident did not affect 500 or more individuals, it is not
published to the list. This means the list alone is not fully
representative of the breaches occurring across the healthcare
industry. There are many smaller data breaches that occurred
throughout the year which are not included in the report, meaning the
actual number of incidents is much higher.

COVERED HEALTH ENTITIES

A breach has to apply to a ‘covered health entity’ to make the list.
That means the breach would have to occur at a health insurance plan,
a healthcare provider, or healthcare clearinghouse.

At first glance that might seem logical, however medical service
providers are not the only organizations that can have healthcare
related data. Consider how much medical information can be collected –
whether intentionally or not – in personnel files and communications
between employees. Doctor’s notes, diagnosis details and injury
reports can easily make their way into a company’s email system and
files. Should those systems or files be breached, and the information
is lost to malicious attackers, the breach most likely won’t make it
to “The Wall”. So the total of 38 million healthcare records exposed
would not necessarily include all breaches of healthcare data.

What Do We Mean by “Healthcare” Records?

Putting aside the under-reporting, we also need to ask ourselves what
is meant by “healthcare records” in the first place. For most readers,
when you see 38 million “healthcare” records lost, you associate that
with actual medical data – such as condition and medical history. But
with how the “Wall of Shame” is designed, that association is not
entirely accurate. In reality, those 38 million records lost may well
contain something other than sensitive diagnosis or treatment
information.

Health and Human Services has made it clear that protected health
information – which must be breached for an incident to be posted on
the “Wall of Shame” – is more than a physical or mental health
condition. It includes demographic information as well as “many common
identifiers” such as name, address, date of birth and Social Security
number.

Because “The Wall” is not clear as to the specific data types exposed
in the breach, the compromised information will include a mix of data.
Yes, if malicious attackers know 11.64% of all American’s medical
diagnosis and medical history, something must be done now to rectify
this. But if attackers have compromised the names and addresses of
11.64% Americans within Healthcare systems, it’s less of a
call-to-arms.

The Reason It is Difficult

Making these distinctions is difficult and it is not our goal to
discredit the Wall of Shame as a source of information or the article
that referenced it. More information, and more transparency, is a
positive. However, there is always more to the story when considering
information from only one source. There are grey areas when it comes
to breaches, complicated by the fact that what ends up posted on a
public list can vary widely depending on who is doing the reporting
and the reason the information is being published. Without
understanding the regulation driving the disclosure or the selection
criteria of the organization publishing the list, it is easy to make
assumptions that lead to inaccurate conclusions.

Where To Go From Here?

As the reporting from the “Wall of Shame” shows, untangling the myriad
of breach information sources is a time consuming and detail-intensive
process. Companies rarely have the resources to dedicate to
comprehensive data collection or analysis.

That’s where Cyber Risk Analytics (CRA) fills the gap. By combining a
deep understanding of sources like the Office for Civil Rights with
years of experience and expert analysis, CRA is able to deliver
actionable intelligence for faster insights into the breach landscape
and better vendor monitoring. Contact us for more information on how
CRA can be put to work for you.