In Part 1 of the article, Finn Partner’s surveyed over 500 employees are various organizations across the United States to examine the cyber-risk employees pose for their employers. In a review of the results, it was found that two in five employees openly admitted to clicking on links or opening attachments from senders they did not recognize. Further, it was found that 55% of employees are using personal devices for work engagements, a practice that directly increases an organizations exposure to security threats.
Unfortunately, we do not have good news.
A more recent study, conducted by John (Xuefeng) Jiang and Ge Bai, published November 19, 2018, reviews government recorded data regarding the root causes of healthcare data breaches. Unsurprisingly, employees and internal factors, again, remain at the top of the list.
When a healthcare organization falls victim to a data breach, it must be reported to the U.S. Department of Health and Human Services. Information regarding each breach is then categorized into one of six categories believed to be the root cause of the breach. Those categories are: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or “other.”
John (Xuefeng) Jiang, Ph.D. and Ge Bai, Ph.D., examined the data released by the U.S. Department of Health and Human Services on 1,138 health data breaches, affecting a total of 164 million patients, recorded from October 2009 to the end of 2017. Within the scope of the study, it was found that more than half of all the breaches are the result of internal factors in healthcare organizations, not hackers or any other form of external parties.
To be specific, Jiang and Bai found that 53% of the breaches were the direct result of internal factors within the healthcare organizations themselves, in other words, their employees. Theft and hackers made up the remaining 33% and 12%, respectively.
While hackers managed to get their hands on the health records for 133.8 million patients in 233 separate incidents during the study period, nearly 25% of all cases were caused by unauthorized access or disclosure, more than double the amount caused by external hackers.
This type of breach could be the result of an employee taking personal health care information home, or forwarding the data to a personal account or device. It could also be the result of an employee sending data to the wrong recipient.
“Hospitals, doctors’ offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,”
John (Xuefeng) Jiang – PhD
According to Jiang, the employees included here are those working in hospitals, doctors’ offices, insurance companies, and even pharmacies. These seemingly harmless errors are putting patient confidentiality at significant risk.
Consistent with associate professor Ge Bai, Ph.D., some healthcare organizations put protected healthcare information “on the website” without any protection, solely on account of employee negligence. In some instances, employees failed to encrypt the personal data even with access the encryption software.
Both Jiang and Bai believe that health care providers should adopt internal policies and procedures to tighten processes and prevent internal parties from leaking personal healthcare data.
Such protocols should include regular employee awareness training, as well as general rules with pertinence to the transmission of protected health information.
To adequately address data breaches related to improper storage, all paper records, which accounted for 29% of breaches, should first be transferred to digital medical records. Also, the use of mobile devices, which were involved in 46% of cases, should be avoided in favour of encryption and firewall protected data storage.
Thus, concerning internal factors, moving towards non-mobile policies for patient-protected data and implementing mandatory encryption procedures is a good start for healthcare providers.
For information on Employee Awareness Training, to identify your organization’s greatest threat or for help Choosing a Penetration Testing Company, please review our website and contact us for in-depth information on how to prepare your organization.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
© 2024 Packetlabs. All rights reserved.