The healthcare sector suffered 142 healthcare data breaches from April through June, impacting 3.14 million patient records – nearly three times the number reported in the first part of the year, according to the latest Protenus Breach Barometer.
What’s worse is that about 30 percent of those breaches were caused by repeat offenders from within the organizations. It highlights a continued issue facing the sector: Risk accumulates over time when proper education and reporting do not happen.
“If an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report authors wrote.
“In other words, even minor privacy violations that are not promptly detected and mitigated have the potential to compound risk over time,” they added.
This issue is not new. Over the last few years, security leaders have continually stressed the need to bolster education as the first line of defense – given the significant number of breaches caused by human error or malicious insiders.
In fact, the report found nine out of 1,000 employees breach patient privacy. And 70,562 breached patient records were caused by insider wrongdoing, which is up from just 4,597 records from the first quarter.
According to a 2017 MediaPro report, 70 percent of employees lack cybersecurity awareness of preparedness. While policies and training won’t automatically fix security issues, it’s critical as they’re often the weakest link.
“Educating and retraining workforce members on data privacy and security policy and procedures can reduce the frequency of repeat offenders within the organization,” according to the Protenus report.
Adding to the management issues of insiders is that one investigator is responsible for monitoring an average of 4,000 employees and an average of 2.5 hospitals, according to the report. That ratio makes it incredibly difficult for investigators to keep up with the number of insider threats.
Fortunately, these numbers are better than the first quarter of 2018, which suggests that health systems are investing more into their infosec teams. The added resources are definitely needed given that the report found hacking incidents nearly doubled from the first quarter of 2018.
Phishing incidents were the greatest cyber threat of the quarter with 10 breaches, followed closely by ransomware and malware with seven. But another 23 disclosed breaches lacked enough data to properly classify the threat.
What’s also concerning is that about 800,000 breached records were caused by a business associate or a third-party vendor. These numbers are staggering given that the average cost of a breach is $408 per patient record.
“Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data,” the report authors wrote.
Data breaches will be among the topics experts address at the upcoming HIMSS Healthcare Security Forum is set for Oct. 15-16 in Boston.