- A large portion of health data breach incidents are tied to insider activity, employee negligence, and physical theft of devices, according to a recent SurfWatch report.
The 2015 Mid-Year Cyber Risk Report found that personal information is increasingly targeted among many sectors, including healthcare, financial, and industrial. For healthcare specifically, the top exploit for the first part of 2015 was employee negligence. This can include either current or former workers providing criminals with physical devices or confidential information, according to the report, and done accidentally and also on purpose.
“Improper disposal and/or storage of patient files has also been a common contribution to data breaches,” the report stated. “Disgruntled employees have also sold information to cybercriminals.”
For the report, SurfWatch collected evaluated cyber intelligence and then categorized, normalized, and measured the data for overall impact. The facts were then tied to 3,046 distinct industry targets across 12 sectors. From there, the report breaks down “Avenues of Approach,” which analysts determined were the top areas of cyber risk across several industries.
Along with employee negligence, the healthcare industry also had insider access as its top presence achieved in the first half of 2015. This can be from employee negligence or intentional criminal conduct by staff members, according to the report, where patient data is inappropriately accessed.
“The challenge with the risks facing these areas is finding the appropriate balance between security and usability,” the report stated. “Organizations will need to review and deploy a proper combination of access control and encryption for data in transit as well as encryption for data at rest in order to reduce their risk landscape.”
Strong encryption capabilities can be greatly beneficial and are often cost effective and easy to deploy, according to the report, but it is also important to remember that encryption does not mitigate all risks. Encryption options should be used as part of an organization’s overall cybersecurity program, the report’s authors wrote.
Many of the top cybersecurity incidents that took place in the first half of the year were related to stolen healthcare records and other personal information, according to the report. Three health insurers were among the top 12 trending cybercrime targets, the research found, with the top incident being the Anthem data breach.
Human error was also cited as a top data security issue in a report from Baker Hostetler earlier this year. Specifically, the law firm reviewed cases it had worked on in the last year related to privacy and data protection and said employee negligence was responsible for 37 percent of reported issues.
Twenty-two percent of cases were caused by outsider theft, and 16 percent from insider theft, according to the report. Malware incidents led to 14 percent of reported issues, while phishing scams accounted for 11 percent.
“Incidents do not only occur at businesses that have payment card data or protected health information,” BakerHostetler Privacy and Data Protection team Co-chair Theodore Kobus said in a statement. “Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.”