Healthcare data breaches ‘mostly caused by insiders’

Targeting healthcare organizations remains about as easy as shooting fish in a barrel. The industry has one of the lowest rates of data encryption and the security culture is severely lacking. Employee education remains poor, leading to a lot of costly mistakes in how patient data is handled.

Naked Security has written about the problem at length, and Sophos has done polling that makes the issues described above all too clear.

The latest evidence comes in the form of two reports: one from Big Data analytics firm Protenus, the other from IBM Managed Security Services (MSS).

Both reports show that the number of privacy violations in healthcare organizations remains high, and that clueless or malicious insiders are a huge problem left unchecked.

The insider problem

Protenus said insiders committed 59.2% of patient health record privacy violations in January 2017, and that the figure stayed well above 43% for all of 2016. From the report:

With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month. There were slightly fewer incidents disclosed in January than in December (36 incidents), and dramatically fewer affected patient records (1,431,449 vs 388,307).

Protenus’ analysis is based on incidents either reported to HHS or disclosed in the media or other sources last month. Information was available for 26 of those incidents. The largest single incident involved 220,000 patient records, a result of a third-party breach involving insider wrongdoing, the company said.

The majority (59.2%) of breached patient records – 230,044 records – were attributable to insider incidents. Five of nine insider incidents were the result of insider wrongdoing.  For the four insider-wrongdoing incidents for which we have numbers, 226,798 patient records were affected. Four other insider incidents were the result of insider error, affecting 3,246 patient records.

Meanwhile, a healthcare data security report from IBM Managed Security Services (MSS) said insiders were responsible for 68% of all network attacks targeting healthcare data in 2016. Almost two thirds of those attacks were the result of people using misconfigured servers and falling victim to phishing scams.

Why do attackers continue to sharpen their focus on healthcare? IBM MSS explained in the report:

It’s because the exploitable information in an electronic health record (EHR) brings a high price on the black market. In the past, malicious vendors have touted an EHR as being worth $50, but IBM X-Force researchers have found that these days, with health records often combined for sale in the underground markets with other personal/financial data, the price may be even higher.

Jonathan Lee, Sophos’s UK healthcare sector manager, said too many breaches are still caused by the inadvertent actions of users:

Therefore it is vitally important that users are educated about the cyber-risks they face and the safeguards in place to protect them.

They should also understand their individual cyber security responsibilities, be aware of the consequences of negligent or malicious actions, and work with other stakeholders to identify ways to work in a safe and secure manner, he said.

Five tips to turn the tide

Late last year, Lee wrote a post in the Sophos Blog outlining five things healthcare organizations can do to better protect patient data. The tips, which focused heavily on National Health Services organizations in the UK, cover the insider threat head on. Here’s a summary of his recommendations:

1. Know your risk

The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.

2. Follow best practice

Health organizations – and others, too – only too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practise when deploying your defenses.

3. Have a tried and tested incident response plan

Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan than can be implemented immediately to reduce the impact of the attack.

4. Identify and safeguard your sensitive data

It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed and implement suitable data security procedures to ensure it is appropriately protected.

5. Educate employees

With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.