- Healthcare organizations must ensure that they carefully monitor who is able to access sensitive information, as potential data security threats can occur from either insiders or third-parties.
While working with trusted vendors or business associates is not new for the healthcare industry, failing to manage, control, and monitor sensitive data access could lead to inappropriate access and even a data breach.
A recent Bomgar report found that nearly two-thirds of surveyed security professionals believe that a breach originating from an insider – either malicious or unintentional – is their greatest security threat.
Over 600 IT professionals in numerous industries, including healthcare, were interviewed for the 2017 Secure Access Threat Report. Individuals worked in Operations, IT Support/Helpdesk, IT Security or Network/General IT roles.
The majority of respondents – 90 percent – said that they trust employees with privileged access most of the time, even though just 41 percent also completely trust those same insiders.
Sixty-three percent of those surveyed said that the unintentional mishandling of sensitive data by an employee that then results in a breach is their top concern. Phishing attacks targeting administrative or targeted credentials was cited by 61 percent as a top concern, followed by an employee intentionally misusing sensitive data for personal gain (60 percent of those surveyed).
The report also showed that just over one-third of respondents – 37 percent – said that they have complete visibility into which employees have privileged access. Thirty-three percent added that they think former employees could still have corporate network access.
“With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk,” Bomgar CEO Matt Dircks said in a statement. “The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access.”
“Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company.”
Employee work arounds to implemented security solutions may also be posing problems, according to the report. This is often done to bypass the IT process and keep daily workflow moving.
Sixty-nine percent of respondents said that they stay logged on, while 57 percent reported sending files to personal email accounts.
Additionally, 55 percent of those surveyed admitted to writing down passwords, while 55 percent said they have downloaded data onto an external memory stick or drive.
“When workers are faced with security measures that seemingly hinder their efficiency, they’ll use shortcuts without considering the risks,” report authors explained. “What’s gained in a few minutes of extra productivity then opens the door to threats.”
In terms of exterior threats, 69 percent of respondents said that they experienced a breach in the past 12 months that could either definitely or possibly be attributed to a third party vendor that had access to their system.
There has also been an increase in vendors being able to access a company’s system every week, the report found. In 2017, 181 vendors were listed as having such access, an increase from the 89 reported in 2016.
One-third of respondents said that the most significant risk to network security were third party vendors sharing log-in and passwords amongst the team. Thirty percent reported that a lack of incident response processes to report and manage third party vendor data breaches was a top concern.
“Access rights need to be more than a simple yes or no,” noted report authors. “Similarly, to combat the growing ‘fourth party’ risk, security professionals should ensure they are able to track and monitor individual users even if they’re leveraging secured, shared credentials.”
Healthcare data security threats could come from either insiders or third parties. Employees must be properly trained on all cybersecurity measures and understand why certain security guidelines exist so they do not attempt to “work around” those implementations.
Furthermore, comprehensive and current business associate agreements can ensure that healthcare organizations know that a third party is willing to take necessary steps to keep data secure.