Health IT

The enemy within: Insiders caused 58 percent of February breaches

A new report from Protenus found that of the 31 data breach incidents in February, 58 percent were attributable to insiders while only 13 percent were due to hacking.

Security concept with cloud and lock in electronic circuit

There’s no question about it: The threat of data breaches isn’t going away anytime soon. And hospitals had best be looking in new places — such as inside their own walls — for the source of such breaches.

On Monday, Protenus released its monthly Breach Barometer. The most recent barometer, which utilizes data from DataBreaches.net, is based on healthcare breaches disclosed to HHS or the media during the month of February.

Protenus’ report found the number of data breaches remained relatively stagnant between January and February. There were approximately 31 breaches in each month. In February, Protenus had information available for 26 of the 31 incidents.

However, there were a number of key differences between Protenus’ January and February findings. For one, February had a 47 percent drop in the number of patient records affected by breaches. While 388,207 records were impacted in January, only 206,151 were affected in February.

Another major variance had to do with the cause of the incidents. In January, 12 of the 31 incidents (or 38.7 percent) were due to hacking, and only nine of the 31 incidents (or 29 percent) were due to insider events. These numbers dramatically shifted in February, in which only four out of the 31 incidents (or about 13 percent) were due to hacking, while 18 of the 31 incidents (or 58 percent) were attributable to insiders.

This shift from hacking to insider events points to a larger industry-wide necessity. “There’s a need in the market for a better understanding of how workers are using information appropriately or inappropriately,” Protenus cofounder and CEO Robert Lord said in a phone interview. “We don’t necessarily know when people are looking at records that they should or shouldn’t.”

Of the 18 insider events in February, eight of them were attributable to insider wrongdoing and nine were due to insider error. Protenus couldn’t classify the one remaining insider incident due to a lack of information provided.

Protenus also found that in February, it took organizations an average of 478 days between the time a breach was discovered and when it was reported to HHS. This compares to January’s average of 174 days between breach discovery and HHS notification.

But for some organizations, a lengthy HHS notification time period isn’t the main problem. Instead, it’s discovering the breach at all. In February, there were two occurrences in which it took organizations more than five years to even figure out a breach had happened. It took one entity 1,952 days to discover a breach and another 2,103 days to discover a breach.

Moving forward, it’s hard to know whether these trends will worsen or improve. However, Lord is hopeful that 2017 will be a time for change. “When we look at 2017, we really hope that this is a year of privacy insight and privacy awareness, particularly for people who have some type of access to records,” he said.

Certainly that’s the hope, but for right now, 2017 is shaping up to be similar to 2016, which averaged one health data breach per day.

Photo:  turk_stock_photographer, Getty Images

Shares0
Shares0