By Grant Elliott, President and CEO, Ostendio
Twitter: @ostendio
Study Shows that Healthcare’s Internal Security Breaches Exceed External Ones
Was that Lady Gaga in the emergency room? What kind of procedure is my ex having? If you’re a healthcare organization, curiosity is one reason why your employees are a data security threat. Yes, the recent Verizon DBIR report shows that ransomware has doubled again over the previous year across all industry verticals, yet in healthcare, it’s insider threats that are an even bigger issue.
The report reveals that when evaluating internal vs external threats, 56% of security breaches in healthcare are insider-related. “Misuse” (aka curiosity and nosiness) is only one reason that healthcare insiders area a risk factor for healthcare data breaches. But whether from “misuse” (24%) or error (35%), the Verizon report uncovers that it’s the people side that plagues healthcare.
Human error is one thing, but unauthorized access is an abuse of privilege – and prohibited. How can you prevent a security breach that’s due to natural curiosity, much less one that’s a simple error? With privacy, information security and cyber awareness training.
5 Ways to End the “I Didn’t Know” Excuse:
Every employee needs to become cyber aware, to internalize the knowledge that they are responsible for protecting sensitive data, regardless of their role.
- Teach employees how their specific role relates to sensitive data, even if they never touch a database or view a medical record.
- Integrate HIPAA privacy and information security training and cyber awareness exercises into your on-boarding process– employee or contractor.
- Communicate the consequences. Convey a clear understanding of what can happen to any employee discovered to be at the root of a “misuse” related security breach.
- Run phishing-specific training often to help decrease error-related breaches. Over 90% of cyber-attacks originate with a spear phishing campaign.
- Monitor PHI access closely. The same system you use to track training, assets and policies and procedures ideally gives you the ability to conduct audit log monitoring.
The report confirms what we already know: the people side of the security equation is a moving target. Your internal data security is only as strong as your workforce’s commitment to protecting ePHI. Software patches, asset tracking and strong password protocols are essential, but only go so far. It’s human nature to be curious and to make mistakes. A healthcare organization with a cyber aware culture merely creates an environment where that’s far less likely.
This article was originally published on Ostendio and is republished here with permission.
Additional Resource:
Listen to this episode of Healthcare de Jure where host Matt Fisher talks with Grant about cybersecurity concerns in the industry.