Healthcare data breaches are becoming an almost daily occurrence.
Last year, the volume and scale of healthcare data breaches increased more than ever before. In August of 2016, Advocate Health Care, a network of 12 hospitals and over 200 other treatment centers, was hit with a $5.5 million settlement over a series of three data breaches back in 2013.
So what’s going wrong? If you’ve been following this series so far, you’ll know an unprecedented number of threat actors are now targeting the healthcare industry… but how are all these breaches actually happening?
Well, according to the 2016 Verizon Data Breach Investigations Report, they fall into three main categories.
Spear phishing is a huge cause of data breaches in every industry, and healthcare is no exception. To find out what you can do to defend against it, register for our January webinar: The Rise of Spear Phishing & How to Avoid Being the Next Headline.
1) The Insider Threat & Human Error
When you think about insider threats, most people imagine dark-clothed spies creeping around their offices, or disgruntled employees deliberately sabotaging their systems.
But the truth is most internal threats are just normal employees making normal, (seemingly benign) mistakes. Unfortunately, no matter how small a mistake might seem, it can have huge consequences.
The overwhelming majority of breaches in the healthcare industry are caused by human error, often in the form of privilege misuse. If we were being uncharitable, we could rename this phenomenon the ‘cost of incompetence.’
Of course, that’s not really fair. Data security isn’t a top priority for most healthcare employees, and many wouldn’t even consider the possibility that a seemingly tiny mistake on their part could cost their employer millions of dollars.
But, of course, they can. Last year, Planned Parenthood of Greater Washington and North Idaho were forced to notify 10,700 patients of a potential breach after several emails relating to a new patient portal were (accidentally) sent to the wrong addresses.
And that’s all it takes. Just a few emails sent to the wrong people can lead to a serious data breach. Of course malicious insiders will crop up occasionally, but they’re far less common than simple errors of judgement.
The Solution: First, there’s a level of security hygiene to consider. If you have a strict ‘least privilege’ model for user access, the majority of mistakes can be contained without cataclysmic results.
But while this is an important step to take, it isn't a complete solution.
In order to prevent these types of errors, you’ll need to implement a robust, consistent, and powerful security awareness training program. Educating your employees on basic security, and regularly reinforcing your key messages, is essential to preventing healthcare data breaches. The cost of implementation will be more than offset by the inevitable reduction in breaches, but if you need help developing a business case take a look at this article.
2) Lost & Stolen Devices
After human error, lost and stolen devices are the next cost common cause of healthcare data breaches. From laptops left on trains to on-site theft, the loss of physical devices has historically been a huge issue for the industry.
But really, when you think about it, this is no different to the insider threat. Sure, theft can’t be entirely blamed on employee mistakes, but unless the thief actively infiltrated a building and made it past at least one locked door, it’s difficult to claim that nothing could have been done differently.
For instance, in December 2015 the non-profit Valley Hope Association announced a data breach after a company laptop was stolen from an employee’s car. Up to 52,076 patients may have been affected, and the data at risk included social security numbers, addresses, dates of birth, government issued ID numbers, treatment plans, diagnoses, medical record numbers, usernames and passwords, health insurance information, and financial information.
So what, we have to ask, was that laptop doing in an unattended car? Examples abound of devices left in plain sight, so this incident is far from isolated.
In another recent example, the Kansas-based Children’s Mercy Hospital reported a breach after paper records relating to 238 patients were stolen from (you guessed it) an employee’s car. In some ways this is even worse than having a device stolen, as there is absolutely no chance the thief wouldn’t recognize what they had.
The Solution: First and foremost, even if a company device is stolen, it shouldn’t result in a breach. Encrypting company-issued devices should be standard practice, particularly in an industry that routinely collects and keeps huge quantities of sensitive data.
Beyond this, though, we’re back to security awareness training. A sensibly developed training plan will inevitably include details of your organization’s acceptable usage policy, and provide pointers on how company devices should be handled offsite.
If you wanted to strike fear into the hearts of healthcare executives with a single word, ransomware would be it.
If you aren't familiar with ransomware, or you want to know more about it, check out our definitive guide. Later in this series we’ll cover ransomware from a healthcare organization’s perspective, but for now we’ll define it like this:
Ransomware is a form of malware that restricts access to computer systems or files, and demands that the victim pay a ransom in exchange for restored access.
Over the past two years a huge number of healthcare organizations have been hit with ransomware attacks, and many have decided to pay up. But the trouble is, even if your organization has thorough backups or decides to pay a ransom, the level of disruption can be huge.
For example, the Lexington-based Appalachian Regional Healthcare hospitals were forced to implement an emergency operations plan after being hit by a ransomware attack. Instead of opting to pay, the organization pulled its networks offline and painstakingly restored them over a three-week period while conducting all services manually.
While this is a testament to ARH’s incident response abilities, the incident clearly caused a lot of problems, and was likely very expensive to resolve.
The Solution: There are two sides to preventing malware infections. On the one hand, improved technical controls such as patch management and endpoint security will reduce the chances of a ransomware attack being successful.
But to prevent infections altogether, it’s important to consider how ransomware is typically deployed. Overwhelmingly, threats turn to phishing and spear phishing as the means to infect.
Training your employees to recognize and report phishing emails will drastically reduce your organization’s risk of being infected with ransomware. By implementing a rigorous security awareness training program, and backing it up with regular, real-life internal phishing campaigns, you can turn your organization’s greatest security weakness (people) into a major strength.
The healthcare industry has an unusually high number of individuals with access to sensitive information, which naturally poses a significant risk. To address this, healthcare organizations are overwhelmingly investing in technical security controls in an attempt to reduce their level of cyber risk.
But if the most common breach causes are considered objectively, the industry’s greatest risk is clear: People.
One way or another, human error is the blame for an overwhelming majority of healthcare breaches, and technical controls can only do so much to prevent it. The only sensible way to move forward is to invest the time and resources necessary to help employees at all levels understand the need for security, and develop the habits necessary to minimize breaches in the future.
For more information about how security awareness training could be implemented at your organization, or to arrange a demonstration, get in touch today.
From February 19-23, PhishLabs will be at HIMSS 17 booth 6689 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch.