Continued Data Breaches in Healthcare
Around two years ago, I happened to be waiting in an out-patient department during a ransomware attack on the UK NHS. In this case, the UK’s over-dependence on paper-based patient records paid off. Even so, staff being locked out of all systems, including appointments, caused complete chaos in the hospital.
Fast forward, and deep dive into the healthcare section of latest annual Verizon report into data breaches. It remains scary reading.
The Verizon team analysed 41,686 data security incidents, of which 2,013 were confirmed data breaches. 304 of these happened in healthcare.
Risk area 1: Abuse of staff privilege
The report confirms that the biggest source of data protection issues are the staff of healthcare organisations, defined by the report as ‘internal actors’:
“…the most common threat actors in this industry are internal to the organization, it can paint a rather challenging picture. With internal actors, the main problem is that they have already been granted access to your systems in order to do their jobs.
One of the top pairings…between actions and assets for Healthcare was privilege abuse (by internal actors) against databases. Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern.” – Verizon
Risk area 2: Email and mail errors
The report identified that mail and email errors remain a common risk area. For example, sending clinical emails to the wrong recipient, or posting medical data to the wrong person’s address.
Beyond this, the report cites the risk in healthcare of phishing:
“…the very common scenario of phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is chilling in the Inbox, or Sent Items, or other folder for that matter is considered compromised.” – Verizon
The Verizon team conclude the healthcare section with three recommendations:
1: “…Know where your major data stores are, limit necessary access, and track all access attempts. Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups.”
2: “…Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers. Think about reward-based motivation if you can”
3: “…Know which processes deliver, publish or dispose of personal or medical information and ensure they include checks so that one mistake doesn’t equate to one breach.” – Healthcare section, Verizon report