Successful hacks are headline news, and there have been a great deal reported so far in 2015; however, the main healthcare data breach risk is employee negligence according to a new data security report issued by SurfWatch.
The security company discovered that the majority of data breaches result from device loss, theft, and insider activity, which in the vast majority of cases, comes down to employee negligence. Oftentimes simple mistakes are made that potentially expose data. Negligence can also give hackers access to networks, mobile devices and other networked computer equipment.
In its mid-year Cyber Risk Report for 2015, the company warned that there had been an increase in data theft in 2015. Hackers and malicious insiders/outsiders were found to be targeting organizations in the healthcare, retail, industry and finance industries. The data held by these companies carries a high value, and companies tend to store a considerable number of records.
When they analyzed the security incidents reported so far in 2015 they found that healthcare data breaches were most commonly caused as a result of employee negligence.
The researchers attributed data breaches to employee negligence if current (or former) workers had divulged data to criminals, either knowingly or accidentally. Data breaches were also attributed to employee negligence if they were caused by errors of judgement or carelessness, such as turning off a firewall.
The researchers discovered improper disposal of healthcare data – electronic and physical records – had been a common cause of data exposure, and discovered numerous cases of disgruntled employees stealing, selling or simply exposing data to get back at their employers.
For the healthcare industry, insider access was named as the top presence during the first six months of 2015, which included negligence as well as theft of data with criminal intent. When the company compiled a list of the top industry targets associated with cybercrime, three health insurers were included in the top 15 targets for the year. Anthem Inc. was the biggest target out of all industry sectors, with its data breach affecting 78.8 million individuals. Premera BlueCross came in fourth, with CareFirst BlueCross BlueShield taking 12th place.
Healthcare Data Breach Risk Mitigation
According to the researchers, one of the main problems faced by organizations looking to reduce data breach risk was how to implement appropriate security controls without those measures having a major impact on usability of networked computer systems. A system cannot be made impenetrable without it being made unusable, so organizations must find the right balance between security and usability. Intrusion detection is a good example. Scans can be performed on a network to check for viruses, inserted code and malware, but not without those scans having an impact on speed of access of data records by authorized personnel. If a system must be used round the clock, organizations must still find the time to conduct full system scans.
There has been a great deal of criticism poured on organizations that have failed to implement data encryption to protect healthcare records this year, yet the researchers pointed out that even encrypted data is not 100% safe. It is therefore not sufficient to use data encryption alone. It is not a universal solution that answers all of an organization’s data security issues. It should be used as part of a much broader program of data security.
Healthcare data breach risk mitigation strategies must be developed if data breaches are to be avoided, or reduced. According to the report, “Organizations will need to review and deploy a proper combination of access control and encryption for data in transit as well as encryption for data at rest in order to reduce their risk landscape.”