Workers biggest source of healthcare industry’s data breaches

Healthcare is the only industry where the biggest threats to data security in 2017 came from its own workers, according to a new report from Verizon.

Verizon’s 2018 Data Breach Investigations Report mirrored what was released last month in its report on breaches involving protected health information (PHI) in prior years. Whereas all other industries profiled—including education, financial and retail—saw the majority of their breaches come from external forces, most of healthcare industry’s threats came from inside.

More than half of healthcare data incidents and breaches—56 percent—came from insiders, compared to 28 percent of cyberattacks across all industries. The earlier Verizon report put the share of insider threats at 58 percent when combining incidents from the 2016 and 2017 Verizon data breach reports.

Some 79 percent of the breached data involved medical information, with 37 percent of it being personal data and 4 percent being financial. While some employees are abusing their privileged access to data systems, human error was to blame in 35 percent of breaches.

“As Caesar found out the hard way, often those who do you the most harm can be those closest to you,” the report said. “This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical.”

Not all the incidents were part of some malicious behavior by employees. In 13 percent of overall incidents and breaches (and in 47 percent of misuse cases), the report said the motivation was “driven by fun or curiosity—for example, where a celebrity has recently been a patient.”

One of Verizon’s recommendations to address these internal threats was to “institute a smackdown policy.” Access to PHI should be monitored and employees should be told again and again that they can be punished for viewing patient data without a legitimate reason.

Healthcare organizations were among the most common victims of attacks overall, with 750 incidents and 536 breaches recorded by the report for 2017. They were also major targets of what the report called “social attacks,” commonly involving clicking on links in a phishing email.

“Healthcare has a wide attack surface for social tactics due to the very nature of what they do,” the report said. “Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.”

Beyond problems with employees, ransomware continued to be “an epidemic” for healthcare organizations, according to the report. While Verizon said it can’t decipher whether the industry is more susceptible than others to ransomware, it emphasized data security professionals need to “take immediate steps to combat this ubiquitous attack type.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.