Reporting data breaches wasn’t mandatory for every type of organizations before the GDPR came into force, but the health sector is a different animal. Healthcare is more tightly regulated than most other industries, and it’s also seen a spike in data breaches in the last year – especially ransomware attacks. With the new regulations in place, reported incidents in healthcare are, not surprisingly, on the rise.
According to new analysis by Kroll, the number of reported data security incidents received by the UK Information Commissioner’s Office (ICO) has increased by 75 per cent over the past two years. As a member of the European Union, the United Kingdom is subject to a strict regime of data protection. But under the GDPR, this regime applies to the entire European Union, and indeed the world.
The increase in reports indicates that organizations are starting to be more transparent, albeit also because the GDPR is twisting their arm to do so. Analysts therefore expect both the number of reports and value of fines issued to increase significantly, generating greater regulatory and reputational risks for businesses.
The analysis further reveals that the data breach risks posed by human error are at least as great as those from cyber attacks. 2,124 reports in the past year could be attributed to human error, compared to just 292 that were deliberate cyber incidents.
The most common types of incidents include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). 133 reports involved the loss or theft of unencrypted devices. As far as deliberate attacks went, victims reported unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).
The health sector is responsible for the highest number of reported data security incidents over the past financial year (1,214), a 41% increase over two years. This is partially due to mandatory reporting requirements that only applied to certain sectors pre-GDPR. Under the new regulation, analysts expect to see a much broader spread of business sectors reporting incidents.
Health or clinical data is also the most common type of personal data compromised, Other kinds of personal data compromised include financial details (10%), social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%).