The Protenus Breach Barometer Report claims that there have been 233 reported data breaches in the healthcare industry so far this year, and 41% of them have been caused by insiders.
The report adds that breaches caused by insiders, either deliberately or accidentally, are less common than hacks (53%), but they affect more patient records and can go undetected for much longer. This goes to show that, although hacks are often more headline-worthy, it is at least as important to mitigate the risk of insiders leaking data.
Insider error versus insider wrongdoing
Protenus breaks down insiders into two categories: insider error and insider wrongdoing (also known as malicious insiders).
Insider error is the result of employees or contractors not being aware of their security obligations. Examples include misplacing or not properly securing files, emailing confidential information to someone outside the company, or creating software with security flaws.
Breaches like these can be managed by revising security policies and educating staff on handling personal and confidential information.
Insider wrongdoing is potentially harder to defend against, as it is caused by employees with legitimate access to the information or former employees whose access hasn’t been revoked. The threat of malicious insiders can be partially mitigated by implementing privilege access rights, but this isn’t foolproof as most employees will naturally need to be able to access some information, and there’s almost no way to spot a potential insider threat.
Protenus claims that breaches caused by insider wrongdoing led to many more exposed records than insider error (743,665 versus 423,000), but occur less frequently (36 incidents versus 57 incidents).
Fixing healthcare’s vulnerabilities
Speaking to Healthcare IT News, Protenus President and Co-founder Robert Lord said: “The healthcare sector will only stop being so vulnerable when the advances in data collection, sharing and analytics are matched with similar advances in our understanding of how to protect patient data.
“Healthcare has invested tens of billions of dollars in deploying systems to leverage data to improve patient outcomes – and appropriately so. But we still have massive problems with the abuse of that data and those systems.”
Lord says the industry has seen slight improvements in its security measures, but it can only improve significantly by chief information security officers and chief privacy officers “dramatically increasing investment in these areas to match other industries and leveraging the use of advanced analytics to detect inappropriate uses of patient data.”
He adds: “A culture of trust, comprised of dual pillars of privacy and security, must come from the highest levels of the organization.”
Educate your staff
Staff awareness training is fundamental for effective information security management and meeting regulatory and compliance requirements.
Making sure your employees know about these requirements can be time-consuming and costly, so we’ve created the Information Security Staff Awareness eLearning Course. It’s designed to help employees better understand information security risks and awareness policies and procedures.
By enrolling your staff on this course, you can reduce the likelihood of insider error and be sure that your information assets are better protected.