When internal actors – aka employees – are the cause of your data breach and PHI loss.
Out of the 655 healthcare data incidents and 472 data breaches that occurred last year, nearly 40 percent were due to internal actors, aka employee mistakes. And, of the total number of successful data breaches in healthcare, 85 percent were due to defrauding people versus exploiting computer code flaws.
Data Breach by Employee Action – Mostly Unintentional
While the internal or external cause of data breaches fluctuates each year, internal causes would conceivably be more under a healthcare organization’s control. Yet, after many years of work in healthcare to educate and train employees on how to keep data secure, it’s still a significant cause. Insider threats are mostly non-malicious and typically caused by phishing emails, weak passwords, or improperly stored files with sensitive data.
Just One Phishing Email
Some healthcare organizations focus most of their cybersecurity prevention efforts on ransomware with good reason. However, one simple email sent to many healthcare employees can have a profound effect. Take last year’s successful phishing attack on Missouri-based BJC Healthcare. Just three employees caused the loss of data for 287,876 patients and created havoc for 19 of its affiliated hospitals.
Heightened Awareness is Needed Now
Bad actors know that an overworked healthcare employee is their best asset. In just three months – from December 2020 to February 2021 – there was a 189 percent increase in phishing attacks targeting pharmacies and hospitals while these organizations were focused heavily on the COVID-19 vaccine rollout.
Educational reminders are key when employees are stressed and have less capacity to stay vigilant. That’s when previous cyber training pays dividends, and the training conducted now will provide future protection, and good data security habits become second nature.
Paper vs. Digital PHI Data Loss
Much focus is put on the digital aspects of data breaches. However, a study by The American Journal of Managed Care discovered that PHI contained on paper and film were common to be stolen. This highlights the need to conduct training with employees around the physical environment and the ease with which the public can view, take pictures of, and steal physical documents and devices. And, as there is a greater emphasis on home care services and community engagement, there is an increase in risk to physical document and device theft.
Should You Prevent or Remediate Healthcare Data Breaches?
When we focus on internal actors – employees – and how vital their knowledge and instincts are to thwart a data breach from simple mistakes, it’s critical to address prevention versus mitigation.
Some healthcare organizations have been shifting their cybersecurity strategy and budget away from prevention and more towards detection and mitigation. But, if nearly half of all breaches occur at a point that could be reinforced, it is prudent to balance investment and effort on both sides of the data security equation. Improving education on how employees can prevent phishing could eliminate a third of all breaches, translating into measurable ROI for the training investment.
How Does Your Cybersecurity Program Address Internal and External Actors?
We take a lean, data-driven approach to building or assessing a cybersecurity program. It’s called CyberLean. Taking a balanced, risk-based approach to where to invest your budget, yields greater maturity and resilience.