A Verizon study concluded that healthcare is the only industry whose biggest threat is internal. Here’s how health systems can prepare.
Images have been cropped and resized. Courtesy of Verizon.
When it comes to protecting patients’ private health data, 2 of the biggest threats are also the most familiar sights around a clinic: paper and co-workers.
Those are among the findings from a new Verizon report that takes a deep dive into data breaches involving protected health information (PHI). The report found 58% of the 1368 data breaches studied were caused by actions taken by internal employees. Verizon also found that 27% of breaches were related to paper documents.
“The report states that the healthcare industry is the only industry in which internal actors are the biggest threat to an organization,” Suzanne Widup, a PhD candidate and senior analyst on Verizon’s Research, Investigations, Solutions and Knowledge (RISK) Team, told Healthcare Analytics News™. “But it also states that it is not the only threat to the industry.”
The most common reason employees violate privacy rules is financial gain (48%), according to the paper. Employees can use private patient information like social security numbers to open lines of credit or commit tax fraud, for instance. However, Verizon also found that many employee data breaches are due to less nefarious reasons, like curiosity about the private details of a friend, family member, or celebrity (31%), or simply as a means to cut corners and bypass proper procedures (10%).
Widup said healthcare organizations can do a lot to shore up their defenses, both in the short and long terms.
“In the short term, organizations should consider implementing improvements such as full disk encryption (FDE), routine monitoring of record access, and controls for defending against malware installation,” she said.
FDE is a technology that automatically encrypts all data on a hard drive, thus limiting access to a small number of people within the organization who have the proper credentials.
“For longer-term planning, we encourage organizations to look at electronic PHI (ePHI) in an effort to reduce breaches associated with paper documents, to develop policies that build security into all implementations of new technologies, and to create an overall incident response plan,” Widup said.
Electronic records would solve a number of paper-related problems, many of which are simply human error. For instance, misdelivered mail with confidential patient information or failure to shred sensitive documents can lead to PHI breaches. But Widup said each healthcare organization must tailor its own approach.
“I encourage hospitals to think through a comprehensive risk management program that would address the unique and sensitive data that they house as part of a long-term cybersecurity strategy,” she said.
And where paper is necessary, rigorous process controls can mitigate most risk, Widup said.
The report also spotlights the persistent problem of ransomware. Among the breaches caused by malicious code, 70% of those studied by Verizon fit into the category of ransomware.
Widup said healthcare organizations need to take the threat of ransomware seriously, and take a multi-pronged approach to combat it.
“Organizations, first and foremost, must ensure they have the ability to recover from good, untainted backups, since this is an attack that is very difficult to prevent entirely,” she said. “The only way to do this is by testing the restore capability of their systems, knowing how long that takes, and having plans in place to carry on operations while the recovery efforts are ongoing.”
Widup said healthcare organizations also need to ensure their employees are properly trained in avoiding suspicious emails and links. However, she said healthcare firms must also have procedures in place to allow employees to quickly report potential data breaches, phishing attempts, or ransomware, since in some cases early detection can help limit damage.
Verizon’s 2018 Protected Health Information Data Breach Report can be read in full here.