Posted in Breaches

Greed, fun, and bungling: Why insiders are the biggest threat to healthcare data

Chris Nerney
Chris Nerney, Contributing Writer |
Greed, fun, and bungling: Why insiders are the biggest threat to healthcare data

Security and privacy concerns regarding electronic health records (EHRs) tend to focus on external threats such as malware attacks and social engineering, but a new data analysis shows that the biggest threat to healthcare data comes from within.
The Verizon 2017 Data Breach Investigations Report concludes that while 75 percent of breaches across multiple industries last year were perpetrated by outsiders, more than two-thirds of participants (68 percent) in the 458 healthcare security incidents analyzed were internal.
“Insider misuse is a major issue for the healthcare industry,” the report said. “In fact, it is the only industry where employees are the predominant threat actors in breaches.”
The top two motivations for insiders to breach patient data are financial (28 percent) and “fun” (24 percent), with espionage (5 percent) and grudges (4 percent) far behind.  
These results, the Verizon report said, are a “product of a lot of sensitive data that may be accessed by legions of staff members containing PII (personally identifiable information) that is perfect for identity theft and medical history (sometimes of friends or relatives) that is very tempting for enquiring minds.”
Medical data was compromised in 69 percent of 2016 healthcare security incidents analyzed, followed by personal data (33 percent) and payment data (4 percent).
In many cases, though, the security breaches caused by healthcare insiders in 2016 weren’t malicious at all. Of the 296 analyzed healthcare industry breaches last year, 30 percent originated through human error such as misdelivery, disposal error, and loss.
Verizon defines an incident as a “security event that compromises the integrity, confidentiality or availability of an information asset,” and a breach as “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”
The Verizon suggests several actions that healthcare providers could take to improve data security, including tighter policies on data management, monitoring of employees, and tokenizing sensitive PII such as Social Security numbers.
You can download the full Verizon breach report here.