Employees cause more cyber breaches in healthcare than other industries, report finds

By Rebecca Pifer for Healthcare Dive

Dive Brief:

  • Internal actors continue to pose a sticky cybersecurity problem for healthcare companies despite not causing a majority of data breaches, according to a new data breach report from Verizon.
  • Employees were responsible for 39% of healthcare breaches last year. That’s compared to just 18% across all industries, Verizon found.
  • The makeup of the insider breach has shifted from generally malicious misuse incidents to miscellaneous errors, with employees being more than 2.5 times more likely to make an error than purposefully misuse their access. Data misdelivery — like sending an email to the wrong person — along with device or document loss are the most common employee errors in healthcare, according to the report.

Dive Insight:

Cybersecurity breaches in healthcare hit a high last year, compromising a record volume of patient data. External threats like ransomware continue to drive concerns in the industry, with stressors like chronically underfunded security measures, the potential for Russian cyberattacks and the rise of an “exceptionally aggressive” ransomware group in 2022.

However, the Verizon report suggests organizations should be taking a hard look at their internal protocols as well, given employees account for almost two-fifths of breaches.

Verizon’s Data Breach Investigations Report relies on data collected from organizations that were victims of cyber incidents from November 2020 through October 2021.

The report found the top three factors driving breaches in healthcare were the same as in the year prior, though their ranking shifted.

Basic web application attacks, miscellaneous errors and system intrusion represented 76% of breaches in the healthcare industry.

Basic web application attacks, or attacks against a Web-facing application, overtook miscellaneous errors in causing breaches to account for roughly 30% of breaches — though errors remain a significant problem, the report said.

System intrusion, complex attacks using malware or hacking to achieve their objectives, made up roughly 26% of breaches. Miscellaneous errors, or unintentional actions directly compromised security of information, made up about 21%.

Despite not being a driving factor in a large volume of incidents, privilege abuse — incidents driven by unapproved or malicious use of legitimate privileges by employees — is three times more likely in healthcare breaches than in other industries, Verizon found.

“Healthcare has had an ongoing problem with internal actors accessing their data without a valid reason for a long time. And while it is no longer in the top tier of the patterns in Healthcare, it should not be discounted as a solved problem,” the report said.

Nearly 60% of the data compromised in healthcare breaches was personal data, while 46% was medical. Personal data was compromised more often than medical for the second year in a row, Verizon found.

The reasons for this trend are unclear, but could mean organizations have increased their security around medical data without corresponding protections for personal data.

It could also mean cyberattackers aren’t focused on getting sensitive medical information.

“Do we consider this the norm now for the one industry with a plethora of medical data? Is this because the actors are just getting in and getting their encryption game on without regard to the type of records they are rendering inaccessible? Only those in the industry know for certain if they have increased their controls around their Medical data but left Personal data in the waiting room,” the report said.

The Verizon report found the healthcare industry had 849 incidents and 571 breaches last year. That trails the finance and professional sectors in both incidents and breaches, though healthcare also lagged behind education, information, manufacturing, public administration in incidents alone.

Share Article: