Employees in the health care sector are inundated with personal data – from admission forms to medical histories and Social Security numbers – so it’s no surprise that insiders are a major information security threat. Verizon’s Protected Health Information Data Breach Report claims that insiders were responsible for 782 healthcare breaches between 2016 and 2017.
This equates to 58% of all health care breaches, making the sector the only industry in which insiders are the biggest cybersecurity threat.
Why is this such a big problem?
The health care sector is particularly vulnerable to insider threats because of how easily employees can access sensitive data. In most other industries, records are kept where only those who need them can access them. However, any number of hospital staff need access to patients’ records, which means wrongdoers don’t need to hack systems or exploit a vulnerability to view people’s records, and they don’t need to worry about leaving any evidence. The only thing that’s stopping them from breaching personal data is their own moral imperative.
So, what tempts people to breach personal data? The most commonly cited reason was financial gain (48%). Health care data includes a lot of information, which criminals could use to commit tax fraud or open lines of credit. People are also motivated by “fun/curiosity” (31%), which typically entails employees searching for records pertaining to celebrities or people they know.
For example, a month after New York Giants star Jason Pierre-Paul suffered a Fourth of July fireworks accident, two health care professionals leaked his medical record. The information showed the extent of the injury, including the fact that his right index finger had been amputated.
Insider incidents may also be instigated by bizarre or unusual injuries. In September 2017, a Pennsylvania hospital was cited after state investigators found a “cheerleader type pyramid” of employees photographing a patient’s genital injury.
How to mitigate insider breaches
Preventing insider breaches is obviously difficult, but Verizon writes that an organization’s policies and procedures are an essential way of mitigating incidents. These documents should address the way the organization handles personal data, outline a system for monitoring access to patient records, and mandate that all employees enroll on staff awareness courses to keep them informed of their security obligations.
If you don’t know where to begin with staff awareness, you might consider our Information Security Staff Awareness E-learning Course.
This course provides a comprehensive introduction to information security risks and regulatory requirements, helping employees reduce their exposure to security failures. Your staff will learn the basics of information security, including security threats via emails, the Internet, and at the workplace, and understand your policies on incident reporting and responses.