Skip to content
Naked Security Naked Security

Healthcare data breaches ‘mostly caused by insiders’

With an average of one data breach a day and patchy security practises, healthcare organizations are sitting targets for hackers

Targeting healthcare organizations remains about as easy as shooting fish in a barrel. The industry has one of the lowest rates of data encryption and the security culture is severely lacking. Employee education remains poor, leading to a lot of costly mistakes in how patient data is handled.

Naked Security has written about the problem at length, and Sophos has done polling that makes the issues described above all too clear.

The latest evidence comes in the form of two reports: one from Big Data analytics firm Protenus, the other from IBM Managed Security Services (MSS).

Both reports show that the number of privacy violations in healthcare organizations remains high, and that clueless or malicious insiders are a huge problem left unchecked.

The insider problem

Protenus said insiders committed 59.2% of patient health record privacy violations in January 2017, and that the figure stayed well above 43% for all of 2016. From the report:

With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month. There were slightly fewer incidents disclosed in January than in December (36 incidents), and dramatically fewer affected patient records (1,431,449 vs 388,307).

Protenus’ analysis is based on incidents either reported to HHS or disclosed in the media or other sources last month. Information was available for 26 of those incidents. The largest single incident involved 220,000 patient records, a result of a third-party breach involving insider wrongdoing, the company said.

The majority (59.2%) of breached patient records – 230,044 records – were attributable to insider incidents. Five of nine insider incidents were the result of insider wrongdoing.  For the four insider-wrongdoing incidents for which we have numbers, 226,798 patient records were affected. Four other insider incidents were the result of insider error, affecting 3,246 patient records.

Meanwhile, a healthcare data security report from IBM Managed Security Services (MSS) said insiders were responsible for 68% of all network attacks targeting healthcare data in 2016. Almost two thirds of those attacks were the result of people using misconfigured servers and falling victim to phishing scams.

Why do attackers continue to sharpen their focus on healthcare? IBM MSS explained in the report:

It’s because the exploitable information in an electronic health record (EHR) brings a high price on the black market. In the past, malicious vendors have touted an EHR as being worth $50, but IBM X-Force researchers have found that these days, with health records often combined for sale in the underground markets with other personal/financial data, the price may be even higher.

Jonathan Lee, Sophos’s UK healthcare sector manager, said too many breaches are still caused by the inadvertent actions of users:

Therefore it is vitally important that users are educated about the cyber-risks they face and the safeguards in place to protect them.

They should also understand their individual cyber security responsibilities, be aware of the consequences of negligent or malicious actions, and work with other stakeholders to identify ways to work in a safe and secure manner, he said.

Five tips to turn the tide

Late last year, Lee wrote a post in the Sophos Blog outlining five things healthcare organizations can do to better protect patient data. The tips, which focused heavily on National Health Services organizations in the UK, cover the insider threat head on. Here’s a summary of his recommendations:

1. Know your risk

The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.

2. Follow best practice

Health organizations – and others, too – only too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practise when deploying your defenses.

3. Have a tried and tested incident response plan

Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan than can be implemented immediately to reduce the impact of the attack.

4. Identify and safeguard your sensitive data

It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed and implement suitable data security procedures to ensure it is appropriately protected.

5. Educate employees

With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.


I believe the report from IBM MSS was misquoted when suggesting that “malicious vendors have touted an EHR as being worth $50,300…” The report actually listed the price for EHRs as $50, with a superscript of 3 for a footnote. $50,300 seems somewhat steep in a market where full PII/PHI records are now being offered 2 for $.99.


These are concerning statistics from each report and the 5 tips provided are good advice to protect against cyber-security threats. However, I would argue that they fall one step short of fully protecting sensitive business data from internal data breaches.

How organisations dispose of their physical data assets still leaves a lot to be desired and when GDPR arrives in May 2018, organisations could find themselves on the wrong end of a hefty fine if they suffer a breach as a result of a substandard data asset disposal processes.

Data asset disposal is often the weak link in the chain of security and left unchecked, the data destruction process can be exploited by hackers, giving them access to personal data that allows them to circumvent physical and cyber security processes.

The requirements of GDPR bring data disposal into sharp focus and it will be essential for any organisation that processes, manages or stores data to have a clear, auditable approach to destroying critical data assets. With this in place, organisations will move one step closer to a fully secure critical data management policy. As mentioned in the article – Education of your employees is crucial to protecting your business against data breaches.

– Laura Cooper, Client Services Director at DataRaze


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!