Insiders account for more than half of all health care data breaches

The health care industry’s biggest security threat is its own employees, according to a report by cyber insurance firm Beazley.

The Beazley Breach Insights report found that, over the first nine months of 2017, 41% of data breaches in the health care industry were caused by staff unintentionally disclosing information. Another 15% of incidents were caused by malicious insiders.

“A persistent threat”

The proportion of data breaches caused by insiders has risen slightly in the past year. Unintentional disclosure has risen by one percentage point, and malicious insider incidents have risen by three percentage points.

This rise is frustrating, not least because insider incidents are much easier to prevent than external threats. However, as the report states, insider error remains “a persistent threat and expose[s] organizations to greater risks of regulatory sanctions and financial penalties.”

Unfortunately, the health care industry is prone to insider incidents because many employees have access to sensitive information. Medical records are highly valued by criminals as they contain vast amounts of personal data, but financial gain is not the only motive. The report explains that many insider incidents are the result of curiosity, with staff “perhaps looking at a celebrity patient’s record or the record of an ex-spouse or neighbor.”

For example, a month after New York Giants star Jason Pierre-Paul suffered a now-infamous Fourth of July fireworks accident, two health care professionals leaked his medical record. The information showed the extent of the injury, including the fact that part of his hand was torn off.

Insider incidents may also be instigated by bizarre or unusual injuries. In September 2017, a Pennsylvania hospital was cited after state investigators found a “cheerleader type pyramid” of employees photographing a patient’s genital injury.

Regulators are cracking down on breaches

To tackle the steady rise in data breaches, the Department of Health and Human Services’ Office for Civil Rights (OCR) has investigated more incidents and increased the average settlement payment. In 2013 and 2014, there were 13 resolution agreements, and the average payment was approximately $1m. There were another 13 resolution agreements in 2016 and 9 so far in 2017, with an average settlement payment of $1.8m.

As Beazley’s report indicates, if organizations can mitigate the threat of insiders, they will be less susceptible to data breaches and subsequent enforcement actions. They can do this by giving their employees regular staff awareness training.

Our Information Security Staff Awareness eLearning Course helps employees gain a better understanding of information security risks and compliance requirements, thereby reducing the risk of data breaches. It uses clear, non-technical language, making it ideal for those without prior experience of the subject.

Find out more about our Information Security Staff Awareness eLearning Course >>