The IBM X-Force Threat Intelligence Report mentioned that 71% of healthcare data breaches are because of employee actions. There are two types of employee-related data breaches. Malicious insiders comprise 25% of healthcare data breaches and inadvertent actors comprise 46%.
The number of breach incidents due to malicious insiders seems quite high, but upon closer look, the cases are not all about stealing protected health information. The malicious insider cases are mostly due to employees snooping on the healthcare data of colleagues, friends and celebrity patients. In the 2013 Veriphyr Identity and Access Intelligence study, snooping was pinpointed as the largest cause of data breaches. Snooping involved unauthorized disclosure of PHI and violates HIPAA rules. Covered entities should beware of snooping and include it in their HIPAA risk assessments.
When it comes to the cause of employee HIPAA violations with the highest breached records, the recognized culprits are insider data thefts. One high-profile data breach case falling under this category is that of Jackson Health System in Florida. A secretary of the company accessed over 24,000 computerized patient medical records and sold the records to criminals who used the data for filing fraudulent tax returns with the IRS.
The HHS’ Office for Civil Rights had to remind covered entities to do something to stop insider data theft because of the resulting high-volume data breaches. However, covered entities have not responded positively. A 2016 survey shed light to the sentiments of half of healthcare IT professionals. Though they were concerned about insider data theft, their firms did not provide the budget to take care of the issue.
Inadvertent actors refer to individuals who became victims of phishing attacks and IT professionals who did not configure security settings of systems properly. They can be more accurately described as “employees who inadvertently invited cybercriminals to steal data.” The number of data breaches due to inadvertent actors is about twice the number of data breaches due to external hacks.
Inadvertent actors may be mitigated with proper employee awareness training. Employees could undergo phishing simulation trainings. Improper configuration of security mechanisms can be corrected by reviewing settings regularly. Data breaches of this nature can be easily avoided with appropriate implementation of solutions.