In healthcare, breach dangers come from inside the house

Driven by an enticing value proposition, hackers are increasingly turning to ransomware to bring in cash, according to a new report from Verizon.

But healthcare also faces a threat particular to the industry, according to the report: breaches from within. A little more than half of healthcare security breaches in 2017 came from inside the healthcare organization, according to Verizon data.

Some of those breaches—about 23%—are due to human error. The most common error was sending information to the wrong person.

Other breaches—13%—are due to “fun or curiosity,” according to the report. Those might occur when celebrities have been patients or other incidents.

“There are very few industries where if you don’t log out of the computer in the room and then someone else looks at the screen there’s a breach, because they’re looking at someone else’s health information,” said Gabriel Bassett, senior information security data scientist for Verizon.

Poor device security increases the risk, he said. “We know to encrypt mobile devices, but if you’re a small company, that’s a lot of work, especially if you have only one IT guy,” Bassett said. “If you’re a large company, you have a lot of assets to keep track of and encrypt.”

Either way, the threat persists.

What makes matters worse is how crucial authorized access to the devices is. “The last thing you want is for a doctor to open a laptop and it’s encrypted, and he doesn’t remember his password,” Bassett said.

Healthcare IT staff need to find a balance between access and security, Bassett said.

One approach is encrypting all devices. Another is network segmentation, in which different devices are on different networks. That way, an internet-connected blood pump won’t necessarily be connected to the same network as the ultrasound or the same network administrators are using for business work. If a hacker gets into one network, he won’t necessarily have access to all the devices in an organization.

Another simultaneous approach is enabling two-factor authentication, especially given how many providers work remotely.

Small organizations might consider software-as-a-service electronic health records since vendors of that kind maintain their own security, Bassett said.

Breaches in most of the industries Verizon studied are on the rise. Notably, they decreased in the financial sector from 2015 to 2017. They’re also down in manufacturing.

The increase in breaches in healthcare could be attributed partially to stricter reporting requirements, Bassett said.

Leave a Reply

Your email address will not be published. Required fields are marked *