Data breaches an ever-present worry for physicians

Health care represented a smaller proportion of major data breaches investigated by a corporate investigation team and the U.S. Secret Service in 2010.

However, Verizon Business said even though health care dropped to 1% from 3% of all breaches included in the report, the number of breaches actually went up. That's because, overall, the number of breaches reported to Verizon and the Secret Service jumped to 761 from 141 the previous year.

More disturbing for physician practices, Verizon said, is that in 2010 outside hackers tended to attack smaller organizations in hopes that their information was more vulnerable. Though the number of incidents increased, there was a massive decrease in the number of documents involved in those breaches -- down from 144 million in 2009 to 4 million in 2010. The most common targets were hospitality (40%), retail (25%) and financial services (22%) (link).

The breaches included in the Verizon Data Breach Investigation Report were confirmed cases reported to and investigated by Verizon. The report also included breach cases investigated separately by the Secret Service, which provided numbers to Verizon for the report.

The report's totals on health care do not represent all data breaches disclosed, by law, to the Dept. of Health and Human Services Office for Civil Rights. The report includes only those breaches reported to Verizon and the Secret Service by individuals or businesses seeking an investigation that will lead to prosecution.

The 2009 Health Information Technology for Economic and Clinical Health Act requires health care organizations experiencing a breach affecting 500 or more people to report the incident. In 2010, 207 breach incidents that included more than 5 million records were reported to HHS. There were 46 incidents reported in 2009 from September to the end of December (link). The majority of those cases involve "data at risk," meaning data is missing but a criminal investigation has not been launched.

Credit card transactions in physician offices is an area of vulnerability that is often overlooked, said the report's author, Alex Hutton, principal in research and risk intelligence for Verizon Business. Tighter controls of those transactions and the vendors contracted to carry them out are needed. Strong passwords will help keep the data secure, he said.

The report found that 92% of breaches reported to Verizon and the Secret Service were caused by external sources, most of which were automated systems launched through malicious software, or malware, sent through the Internet.

Small- and medium-sized businesses, including physician practices, have become easy targets because they tend to lack the sophisticated technology that larger organizations have to protect against these attacks, according to the report.

Physicians should remind staff to report irregularities in how office computers are running because this could signal that the computers have become infected, experts said.