“End-users, sysadmins, and developers lead the pack when it comes to mucking things up, though pretty much all of us are guilty.” These are simple, yet telling, words from the 2014 Data Breach Investigations Report released this week by Verizon.
The report statistics indicate:
- 46 percent of all data security incidents in healthcare come from theft or simply losing a laptop or other device containing confidential information—triple that of almost all other industry sectors
- Physical loss is 15 times more common than theft
- Most thefts occur in the work area, followed by homes and vehicles.
The 10th-annual Verizon report is compiled from actual data security incidents reported by global law enforcement agencies, information security agencies, forensics organizations, and the Information Sharing and Analysis Center (ISAC), including the National Health ISAC. It finds: “Nine out of ten of all breaches can be described by nine basic patterns.” Almost 75 percent of all healthcare incidents may be attributed to three of these patterns: physical theft and loss (46 percent), insider misuse (15 percent), and miscellaneous error, such as misdelivery, publication, and disposal (12 percent).
The message for healthcare providers—from the largest hospitals, to small practices, to continuing care retirement communities—is that the path to improved data security begins with controls to protect us from ourselves. For example, we must first understand where our data is and who has access, an aspect of every good data security risk analysis. Audit processes, including periodic review of user accounts and logs, can help thwart both intentional and inadvertent breaches. Protecting the data itself, through encryption and data loss prevention software (DLP), will help minimize the damage when the inevitable happens and someone loses a device.
Above all, however, we must renew our efforts to inform and train our personnel, from the highest executive to the clerical staff. Indeed, the report notes: “The data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone…[and] this pattern contains more incidents caused by business partners than any other.” Training and awareness are both undervalued and underutilized.
If you would like to know more about how information mapping and training can help your organization minimize its data security risks, we can help.