- More than half of health industry security incidents are tied to employees within the organization — making healthcare the only industry where insiders are the biggest threat, according to Verizon’s latest Protected Health Information Data Breach Report.
- Verizon analyzed data from 1,368 security incidents in 2016 and 2017 and found that people inside the organization triggered 58% of breaches, versus 42% that were caused by outside actors. The dataset included incidents from 27 countries, but about three-fourths occurred in the U.S.
- The primary motivation for internal breaches was money, spurred on by curiosity, convenience and an occasional grudge.
While unsettling, the large share of security incidents stemming from inside organizations is not a total surprise. A 2017 study by an international team of researchers found widespread sharing of EHR passwords among physicians and clinical support staff, putting patients’ personal health information at risk.
Despite the media buzz around large-scale cyberattacks, hacking and malware accounted for just 14.8% and 10.8% of security incidents in healthcare. The most common cause was error, tripping 458 cases (33.5%). The next most common factor was unapproved or wrongful use of an organization’s resources (29.5%). Incidents involving missing laptops and other assets made up 16.3% of the incidents.
The report also looks at incidents that target certain people to gain access to personal data and systems. Here, phishing accounts for nearly 70% of all cases and often involves emails requesting the recipient open a malware file or click on a link.
When personal information was breached, it was most often medical records. In all, 589 cases of medical records disclosure were found, 196 involved personally identifiable information, 28 involved payment card information and 14 involved credentials.
“As all industries move towards utilization of the Internet of Things (IoT), establishing a proactive policy of building security into any and all implementations is vital to getting ahead of what could be an increasing threat in the future,” the report said. “Focusing on resiliency and availability in regards to IoT implementations as well as integrity or confidentiality is important."
Last year saw multiple disruptive cyberattacks on healthcare organizations, including the massive global WannaCry virus that crippled hospital systems in the U.K. and affected businesses in 104 countries.
Still, many healthcare organizations are not making cybersecurity a high priority, making them prime target for a malware or ransomware attack. A recent Black Book Market Research survey found that about 80% of organizations lack an executive-level leader to manage cybersecurity enterprise-wide and just 11% plan to name one in 2018.