The healthcare industry is notorious for insider threats, and a new report from Protenus suggests this reputation isn’t going away. The organization’s monthly Breach Barometer found that insiders were responsible for 15 data breaches in the healthcare industry in September, representing 32.6% of all incidents.
The sources of the breaches were healthcare providers (67%), health plans (13%), business associates or third parties (13%), and schools (7%).
Protenus notes that there could have been more incidents involving third parties, but information in this area is routinely lacking.
Most insider breaches caused by wrongdoing
Protenus breaks down insiders into two categories: insider error and insider wrongdoing (also known as malicious insiders).
Insider error is the result of employees or contractors not being aware of their security obligations. Examples include misplacing or not properly securing files, emailing confidential information to someone outside the company, or creating software with security flaws.
Insider wrongdoing is caused by employees with legitimate access to information or former employees whose access hasn’t been revoked. There are a number of reasons these people might misappropriate information, but the most common motives are revenge and financial gain (by selling the data).
Six of the reported incidents were the result of insider error (affecting 24,958 patient records). Eight of the reported incidents were the result of insider wrongdoing (affecting 47,887 patient records). The other incident involved a multitude of errors surrounding a bizarre medical emergency caused by someone having too much fun.
These results only partly correspond with the trend reported in the Protenus Breach Barometer Report: Mid-Year Review. It found that breaches caused by insider wrongdoing led to more exposed records than insider error (743,665 versus 423,000), but occur less frequently (36 incidents versus 57 incidents).
Improved data breach response times
Protenus did find a positive note in that healthcare organizations are getting better at identifying and reporting breaches promptly. Although the average time it took to discover a breach was 387 days, this figure is inflated by one incident that took almost six years to detect. A more accurate figure would be the median (middle number) length of time, which was 38 days.
The average length of time it took organizations to disclose a breach was 66 days (median: 59 days). Protenus writes: “It’s promising to see that healthcare organizations are routinely reporting health data breaches within the mandated 60-day window. Hopefully breach detection will continue to improve through the use of the advanced technologies being implemented across North America’s healthcare organizations.”
However, the report stresses the importance of mitigating the long-standing issue of insider breaches, calling for “the healthcare industry to make patient privacy a priority.”
The best way to do this is to certify to ISO 27001, the international standard that describes best practice for an information security management system (ISMS). Doing so will help organizations meet critical legislative requirements such as the Health Insurance Portability and Accountability Act (HIPAA). All healthcare organizations are bound by the HIPAA, and violating it can lead to civil monetary penalties of as much as $50,000 per compromised record – up to an annual maximum of $1.5 million.
Staff awareness training is an essential component of maintaining ISO 27001 compliance, and our Information Security & ISO27001 Staff Awareness E-Learning Course can help your organization meet that requirement.
This course gives employees a better understanding of information security risks and ISO 27001 compliance requirements. It’s ideal for anyone who processes information or who uses information technology in their daily jobs.