An analysis of healthcare data breaches for the first half of the year shows that the healthcare industry is on the path to suffer more one data breach a day this year.
Highlights from the report, Breach barometer Report: Mid-Year Review, from patient privacy analytics monitoring provider Protenus and data breach tracking website databreaches.org show that through June of this year there were 233 breaches reported to U.S. Health and Human Services (HHS), state attorneys general, or were reported in the media. While the total number of records exposed in all of the breaches was not yet available, out of 193 of incidents in the report where such data was known a total of 3,159,236 patient records were exposed. For the most part, breaches were evenly distributed across the months.
The largest healthcare related exposure, according to the report, totaled 697,800 patient records and wasn’t caused by external attackers but an insider. It’s interesting how many breaches were caused by insider mishaps or wrongdoing (41 percent) vs. hacking (53 percent).
While healthcare organizations were able to report the details of their breach within what I consider a reasonable period of time, 55 days, it is taking them considerably way too long to identify that they have been breached: 326 days.
According to the report, 41 percent (96 incidents) of health data breaches this year were a result of insiders. To date, only 73 insider-driven incidents have detailed information on them and they involved 1,166,674 patient records
“The number of breach incidents and affected patient records is on course to meet or exceed the findings for 2016,” the report said. The report defined insider incidents as either insider-error or insider-wrongdoing. Insider-error was essentially defined as accidents and any incident that couldn’t have maliciousness attributed to it.
According to the report, 57 of the 96 insider incidents disclosed this year were a result of an insider- error or accident, while 36 incidents were a result of wrongdoing. “In three cases, there was insufficient information to determine whether the incidents should be coded as error or wrongdoing. While there were substantially more breach incidents that involved insider-error (57 incidents vs. 36 incidents), it was insider-wrongdoing that affected considerably more patient records (423,009 vs. 743,665),” it read.
Just last month, Verizon publicly exposed 14 million customer records, many containing sensitive and personal information such as names, cell phone numbers, and account PINs. The data was exposed on an unprotected AWS server. And about a week later, a poorly configured Dow Jones & Co. database on Amazon S3 exposed the data on 2 million or more customers to anyone who knew how and where to look. Insider error can lead to big outside exposures.
Such events as well as the statistics from HHS perhaps explain why so many IT security professionals are more concerned about internal, rather than external threats. A recent survey from Dimensional Research, The Growing Security Threat from Insiders, found that 49 percent of information security professionals believe internal threats are more concerning than those coming from the outside in. The survey found that a majority of security professionals (87 percent) believe it is careless employees and those who bend security rules to get their jobs done that are the bigger threat than maliciously inclined insiders.
That was closely followed careless employees infecting systems with malware (73 percent) and abuse of admin privileges (63 percent). Only 13 percent of those surveyed were concerned about insiders who go bad.