Lessons Learned from 2016 Its Time to Address Internal Security Threats to Health Data
Throughout 2016 the message from cybersecurity experts has been fairly consistent and increasingly urgentleaders at patient care organizations need to prioritize IT security And at the risk of sounding like a broken record a recent year-in-review report on health data breaches makes one thing quite clearhealthcare leaders are still not doing enough to protect patient dataAccording to a new Breach Barometer report from Baltimore-based healthcare cybersecurity vendor Protenus and in collaboration with DataBreachesnet the healthcare industry was plagued by breaches involving patient or health data in 2016 with hacking and ransomware incidents reminding us how vulnerable protected health information (PHI) remainsAccording to an analysis by Protenus and DataBreachesnet there were 450 data breach incidents either reported to the US Department of Health and Human Services (HSS) or disclosed in the media in 2016 thats more than one health data breach per day for the entire year and these breaches resulted in 27 million affected patient records If these trends continue 2017 can expect to see a continued average of at least one breach disclosed per dayA Healthcare Informatics news article about the Protenus report briefly highlights the key findings yet the report findings about insider wrongdoing caught my attention Many data security experts have pointed out that employees are the weakest link in the cybersecurity fence and with this in mind its important to review these data breach incidents with an eye toward lessons learned and to find a way forward for protecting patient privacyProtenus reported that 43 percent of the 2016 health data breaches (192 incidents) were a result of insiders and for the 162 incidents out of those 192 that Protenus has data for 2 million patient records were affected Now while hacking accounted for the majority of patient records breached in 2016 insider incidents resulted in a larger number of breach incidents (120 vs 192 respectively)According to the Protenus report the average number of breached patient records due to insider error was more than three times the number attributed to insiders with malicious intent However the report also noted that this figure was distorted by two large insider error incidents in August and December which when removed shows the two categories to have roughly similar averagesWhile it is reassuring that not all insider breaches are with ill-intent healthcare organizations need to make employee training frequent reminders and re-training a priority the report authors wroteOne key reason why I think the insider incidents should be highlighted is that there is mounting evidence that that problem of insider data breaches has largely gone unaddressed as healthcare organizations focus on catching up with the external threats Additionally insider breaches tend to fly under the radar and can go undetected for quite some time To this point the report authors noted that in one incident hospital employees were potentially inappropriately accessing patients medical information for years without being detected because the hospital didnt have technology in place to monitor or protect patient privacy The hospital found potentially inappropriate accesses to the medical records beginning no later than 2013 and possibly much earlierWithout technology in place to provide alerts when access to a medical record is inappropriate the organization now has to notify every single patient theyve encountered since 2013 which will probably end up being a very costly process the report authors wroteThe Protenus report findings also indicate that it took an average of 233 days for a healthcare organization to discover they had a health data breach Perhaps most troubling is that the time to discovery specifically in cases of insider wrongdoing was more than double that607 days It goes without saying that it is critical for healthcare organizations to have a more proactive approach to monitoring patient data as the sooner a breach is detected the quicker organizations can mitigate the risk of significant damage being done with their patients dataWhile limited budgets and resources are likely to blame for some organizations data breach detection capabilities the report authors also surmise that organizations are still taking a reactive rather than proactive approach to privacy monitoring and this can allow inappropriate access to the patient data to go unnoticed for extended periods of timeIn a recent interview Mac McMillan CEO of the Austin Tex-based CynergisTek consulting firm had a similar view of healthcare data security I think there are some folks who are beginning to be a bit more proactive but for the most part were still a very reactive industry he saidRegarding insider data breaches specifically McMillan said They are going to continue to be a problem until we realize as an industry that we need to move to behavioral modeling and behavioral analysis to stop the threat This is one of those situations where the methods we are using are antiquated Were typically monitoring users today based on rules so in other words somebody goes outside their prescribed boundary in terms of what they are doing or some known convention in the system in terms of their profile The problem is that most insiders that are perpetuating harm they know what those rules are and so they are careful not to cross those boundaries And if youre not actually looking at behavior youre not going to catch that.