Phishing remains a key attack vector for bad actors to compromise not just individual user accounts, but also to establish a foothold in the entire infrastructure of a given organization. This is possible because attackers know one thing very well: a company’s first line of defense, its staff, is also its weakest security layer.
Hackers leverage phishing and other forms of social engineering to steal information, encrypt data as part of ransomware campaigns, or deploy malware and file-less attacks for the ultimate goal of financial gain. Often, however, breaches occur not because of hackers or external parties, but out of sheer internal negligence. And according to the latest data, two verticals suffer most from this syndrome: healthcare providers and insurance companies.
New research from Michigan State University and Johns Hopkins University shows over half of recent data breaches involving personal health information (PHI) stemmed from internal issues with medical providers – not malicious intent, and certainly not external.
“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.
The research looked at roughly 1,800 large PHI data breaches over a seven-year period, with 33 hospitals suffering more than one substantial breach, according to Help Net Security. Internal issues at healthcare entities caused 53 percent of them.
“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
And the repercussions can be truly serious for patients whose data has been leaked. For example, when pharma giant Anthem suffered a data breach in 2015, 37.5 million patient records were compromised. The company failed to notify everyone promptly, and some users fell victim to fraud.
Researchers advise healthcare providers to adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a strict set of protocols focused on safeguarding patient data. These include transitioning from paper to digital medical records, non-mobile policies for patient-protected information, implementing encryption, and offline storage.
There’s no shortage of cases confirming these findings, with at least two already reported this week.
On Monday, Mercy Medical Center in North Iowa notified 1,900 customers of a potential data breach involving their health records and personal information. The letter specified that the data may have been “inappropriately accessed by an employee between July 2017 and July 2018,” according to the Globe Gazette.
Also yesterday, an allergy practice agreed to pay $125,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services to settle a doctor’s disclosure of PHI to a reporter.
As far as insurers go, ProPublica covered an interesting case last week, telling the story of a Tony Schmidt, who learned his insurance company obtained his medical data without consent to later use it against him and deny the man reimbursement for medical equipment.