Clinician sharing of data a top reason for data breaches
An analysis of five years of data from a database of major breaches affecting at least 500 individuals finds that in 2016 the reporting of such breaches exceeded 300 for the first time.
The analysis of the database, operated by the Office for Civil Rights for the Department of Health and Human Services, comes from Safetica North America. It found that well-intended clinicians sharing data results in a 10 percent breach growth rate annually, and this sharing is the primary driver of breaches, says Luke Walling, general manager at Safetica, a data loss prevention vendor operating in Europe for seven years that launched operations in the U.S. in September.
When the 10 percent of well-intended sharing is combined with other incidents of unauthorized access and disclosure, that category accounted for 41.5 percent of breaches during 2016, compared with 25 percent in 2014. Hacking accounted for nearly 32 percent this year, compared with 14 percent of incidents in 2014. Other breach rates in 2016 included theft (19 percent), loss (5.4 percent) and improper disposal (2.3 percent).
“Employees or associates accessing and sharing data they should not—or disclosing it to people they should not—was the single biggest breach factor this year,” according to the analysis.
As 2016 draws to a close, 15.2 million records have been compromised. That’s is a lot, but the 2015 number was 113.3 million following a series of very large attacks that included the Anthem hack that accounted for 70 percent of all breaches in 2015.
Theft of medical records fell to its lowest level this year since 2013, with better security education and securing of documents, as well as improved devices to police networks and employee actions, says Walling. “Not well done was controlling credentials and user behavior that constitutes unintended sharing.”
Hacking in 2017 could actually take a dip as healthcare organizations get better at controlling what they can control, and security technology and best practices also continue to improve, Walling predicts. However, it is wise not to get complacent, he warns. “The problem with phishing is it still works. It is extremely difficult for anyone to distinguish between real and malware emails, so you have to make sure the data can’t leave the organization.”
That leads to another problem—allowing the flow of data without impacting how people do their jobs. Encryption obviously is a strong protector of data, but users don’t want to have to consciously decrypt and encrypt data.
Tools are available that create rules for how files move throughout a network. A rule, for instance, could auto-encrypt a file, decrypt the file to use it, and then re-encrypt it, Walling says. “These rules make files accessible and the encryption and decryption processes are invisible to the user.”