Verizon has released their yearly Protect Health Information Data Breach Report. The results show that the healthcare sector is unique from other industries in that insider threats were more common than external ones, comprising about 58% of healthcare breaches. But why?
From a standpoint of internal actors, the access that healthcare workers have to personal information of patients affords a convenient means to commit fraud of various types (for example tax return fraud or opening lines of credit). Insiders are also frequently prone to curiosity, and the accessing of patient data outside of their job responsibilities is reflected in the 94 instances where fun is the motive behind the data breach. For example, the admission of a family member, acquaintance or well-known personality into a hospital can present a temptation for employees who have technical access to that patient’s health record but no direct role in providing care or services to that patient. Any unwarranted access into that patient’s record simply to appease their curiosity would be (and is) considered a breach. Lastly, convenience as a motive comes into the picture when insiders do something that will make it easier for them to get their work done, but as a consequence also puts data at risk. An example would be violating data handling policies by storing sensitive data on unapproved hardware.
So how can the healthcare industry stop these insiders from exposing protected data? While technical safeguards will certainly help, it is really up to the people inside an organization to do their part. Proper training and awareness of HIPAA and data security best practices are essential to ensuring patients' data remains secure.