Most Breaches Inadvertent Inside Jobs
Don’t look any farther than clinic’s walls to find most of the sources of data breaches, says Verizon, which recently released their 2019 Data Breach Investigations Report. What they found adds to Compliance Officers‘ headaches.
Not in Our Stars But in Ourselves
The report, which reflects research results of 41,686 security incidents and 2,013 data breaches from 86 countries and several industries, indicates that in addition to foolish errors. healthcare workers misusing privileges and applications create most of the problems. In a large number of cases, the breaches are generated by an innocent employee’s mistroke. However, many are caused by employees’ greed, desire for revenge, and espionage. The top three patterns for errors are:
- Miscellaneous mistakes
- Privilege misuse
- Web applications
Not surprisingly, 72% of the data being compromised is medical while 34% is personal. Credentials is the third most compromised data in healthcare. Verizon identifies 59% of “threat actors” as internal, while 4% can be partners and 42% is external. Four out of five motives for the threat actors can be classified as financial, but fun, convenience, grudge, and espionage are also motivators.
C-level executives are 12 times more likely to the target of social incidents and 9 times more likely to be the target of social breaches than in years past, Verizon asserts. Like their employees, they open emails, download questionable applications, and access risky sites. Data compromised by recklessness amounts to 72% medical, 34% personal, and 25% credential.
No Breaches Without Outsiders
Except for those cases where a staff member may open a patient’s record without authorization, most breaches begin with outside threats. Ransomware attacks account for 24% of the incidents where malware was used. In most cases, the malware is released when an email attachment or link is opened by an unwitting staff member. These attacks are often aimed at healthcare facilities and groups because of perceived deep pockets. Data is locked and either destroyed or sold on the Dark Web.
The success of phishing attacks has fallen dramatically of the last seven years, but 18% of those who do fall for the attacks are doing so on mobile devices.
Overall, while Verizon’s report indicates progress in preventing some breaches, the growth in self-generated breaches is, according to the data company, sobering.