HIT Think

Why insider breaches are on the rise

Patients’ healthcare information continues to be exposed on a regular basis by provider organizations. The monthly Breach Barometer compiled by Protenus, a security consulting firm, shows that there has been an average of one breach in healthcare per day in 2017.

Protenus’ latest monthly report showed 37 breaches being disclosed for the first time in May. The number is significant, demonstrating the ongoing challenge of protecting patient information. The not-so-old adage of it is not a matter of if you get breached, but when you get breached is only proving to be more accurate.

HDM-062717-breach (1).png

A couple of findings from the Protenus report stand out. First, three breaches were not reported for more than 1,000 days from the date of discovery. This is a substantial period of time for a breach to remain unreported. Why does it take so long for these organizations to report? What breakdown in auditing and monitoring of systems occurred?

The delay may in part be a result of the fact that many of the breaches were a result of insider activity May. A common concern about insider breaches is the difficulty in detecting them. An insider can slowly leak data out of a system or otherwise mask activity. Additionally, despite widespread reports that insiders are a top threat, outside issues such as ransomware garner many of the headlines and the spotlights.

Not paying attention to the insider threat is dangerous, however. Insiders understand a system, have approved access to data and have many opportunities to extract data. No organization should feel safe. It is not a matter of a lack of trust, as much as it is recognizing reality.

The concern about insider threats leads to the second standout item from the May report, namely that insiders were involved in 15 of the 37 breaches reported. As reported by Protenus, 10 of the insider breaches were caused by employee error. While it’s never good that employees make mistakes, these types of errors are more likely to be one-time events and not involve malicious intent.

The other five insider breaches were the result of malicious conduct. Such conduct includes obtaining information for personal gain, selling information to known criminals and other conduct in the same vein. The common theme of the malicious intent breaches is the desire to profit or personally gain from taking the information.

If an individual has a strong desire to create a personal benefit, it will be difficult for organizations to pre-emptively stop them. However, organizations can do a better job of rooting out the internal bad actors. Organizations should be routinely auditing and monitoring systems, records and other aspects of protected health information.

Further, automated systems can be deployed to enhance the individual efforts that may be underway in a healthcare organization. Using a combination of tools can speed up the time of discovery, which in turn, can enhance mitigation efforts.

As can be seen, the Breach Barometer should be mandatory monthly reading for many healthcare entities. Until security efforts can be improved, it is instructive to learn lessons from the monthly summary of breach reports, seeing trends that may provide forewarning at your own organization.

For reprint and licensing requests for this article, click here.