Most data breaches that occur in the health care industry are caused by individuals inside the affected organizations, according to Verizon's latest annual Data Breach Investigation Report.
For the report, analysts reviewed more than 53,000 security incidents and more than 2,200 breaches that occurred across various industries, including health care.
The report identified 536 breaches and 750 security incidents that occurred among health care organizations in 2017. According to the report, 56% of breaches that occurred in the health care industry in 2017 resulted from individuals inside the affected organizations. The figure marked the first time that insider threats spurred the majority of breaches that occurred in the health care—or any other—industry since Verizon first started tracking the statistics, Axios' "Vitals" reports.
But not all "insider threats" involved individuals deliberately undermining their organization's security. According to the report, 35% of inside breaches in the health care industry were attributed to human error, such as clicking on a phishing email, while 24% were attributed to misuse. The report found that as many as 13% of health care industry breaches were caused by insiders who were "driven by fun or curiosity," such as viewing information on a celebrity patient.
Insiders are often the 'weakest link' in an organization's security, expert says
Bryan Sartin, Verizon's executive director of security professional services, said health care organizations should better educate their workers about their role in preventing cyber-related crime. "Employees should be a business' first line of defense, rather than the weakest link in the security chain," Sartin said. He added, "Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organization."
The report also noted that ransomware continued to pose a significant threat to health care organizations. Across all industries, the report found that ransomware accounted for 39% of all reported malware-related data breaches that occurred last year—but in health care, it was responsible for 85% of such breaches.
However, the analysts suggested that the proportion of breaches related to ransomware at health care organizations could appear higher when compared with other industries because health care organizations are required to report breaches under HIPAA and other federal laws. David Hylender, a senior network analyst and principal with Verizon, said, "They have to disclose things that other organizations may not have to report publicly," adding, "Therefore, the number goes up."
Still, analysts said organizations can better protect themselves from ransomware and other outsider threats by consistently monitoring their systems to detect compromises in security, training employees to identify potential attacks, and limiting access to sensitive data (Baker, "Vitals," Axios, 4/11; Anderson, Channel Partners, 4/11; Davis, Healthcare IT News, 4/10).
Advisory Board's take
Verizon's latest findings are a great reminder: Your organization's cybersecurity is ultimately built on—and can be undermined by—your staff.
Even though the media has focused on buzzy vulnerabilities with peculiar names like "WannaCry" or "Spectre," you're at least as likely to face threats from internal actors. Think of the employee who unthinkingly clicks on a phishing email, for instance, or even a malicious staffer who deliberately steals patient data. The best way to ward off cybersecurity threats is to double down on your security awareness training and testing procedures.
Leading organizations are moving toward continuous awareness training, supplemented with frequent internal user testing—such as via internal phishing campaigns, which safely test whether internal users are able to identify and avoid clicking on suspicious messages. Individuals who "fail the test"—that is, click on the link—can be automatically enrolled in remediation training. These internal campaigns are critical to your organization's ability to avoid potential cyber incidents, and they create well-defined security metrics that executive leaders should expect to see improve over time.
While organizations should hesitate to place blame if leaks occur, we do recommend codifying how individuals will be held accountable for patterns of risky behavior. For instance, how will you handle a "repeat offender" who keeps on clicking on suspicious emails during internal phishing campaigns? What if that repeat offender is a physician? Or an executive?
Providers may choose to treat the issue as a learning opportunity, to incorporate security practices as a component of performance reviews, to address the behavior problem within an existing progressive discipline approach, or perhaps to apply a three strikes penalty in which the user loses external email until he or she is able to demonstrate an understanding of security practices. We've seen all of these methods used, but the key is that leadership has identified a method it is willing to support and enforce.
In the end, your security policies must fit your culture and meet your leadership's expectation for security maturity and preparedness. There is no technical "quick fix." Rather, this is a cultural challenge that can only be solved with the help of senior leaders across the enterprise.