Security Industry Report Identifies Credentials as a Gateway to Protected Health Information
December 22, 2015 | Security and Risk | Lauren Horaist
Healthcare companies and protected health information (PHI) have been at the center of some of the largest attacks in 2015. If you have been following the frequency of headlines, you may wonder how prevalent are the breaches? Well, the numbers are in. Last week, Verizon issued the 2015 Protected Health Information Data Breach Report, the first extension of the annual Data Breach Investigations Report.
The report is focused on health information data, but it’s important to note the impact is not limited to the healthcare industry alone. Organizations across many industries have access to health information perhaps from employee records, worker’s compensation or for other reasons. As noted in the report, “The fact that an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of a PHI data breach.”
In 2015, according the report, 90 percent of industries experienced a breach of PHI, and in total, more than 392 million records were exposed. While not all of these incidents were malicious – some were the result of accidental insider activity – the outcome was the same for the organizations: mandatory reporting, regulatory fines, potential lawsuits and a loss of confidence from the individuals impacted.
Interestingly, when Verizon analyzed the different types of data exposed during these breaches, the bulk of the information fell into one of four categories:
- Medical records
- Payment or payment card industry (PCI) information
- Personal or personally identifiable information (PII)
The inclusion of credentials in this group might seem to be a bit odd, but when you consider the information that credentials can provide access to, it makes sense. As noted in the report, “compromised credentials often are the gateway to the theft of data of other types.” Credentials are used by doctors to access patients’ electronic health records, by system administrators to maintain healthcare management systems and by pharmacy systems to retrieve and verify prescription information, to name just a few examples. Credentials that can be used to access sensitive and protected information must be treated like any other privileged credential in your IT environment.
Privileged account security solutions enable organizations to better secure PHI, PII and other sensitive information by effectively securing the accounts and credentials used to access this information. It’s important to proactively secure privileged account credentials, control and isolate privileged user sessions and monitor the use of these privileged accounts to detect anomalous activity that could indicate unauthorized access. By implementing such a solution, organizations can reduce the risk of a malicious PHI breach, prevent the accidental misuse of PHI by insiders and quickly locate abnormal activity in order to stop an attack before it becomes serious.
To learn how CyberArk can help to protect the privileged accounts that provide access to PHI, PII and other sensitive data, please visit our Privileged Account Security web page.