Healthcare Must Stop Insider Misuse, 'Miscellaneous' Mistakes
Insider misuse of data - the second most common cause of healthcare data breaches, according to the Verizon DBIR - most often results from the abuse of privileged access to desktop computers, databases and servers. "Most insider misuse occurs within the boundaries of trust necessary to perform normal duties," the report says. "That's what makes it so difficult to prevent."
To prevent this from happening, healthcare organizations need to intimately know their data and who has access to it, the DBIR says. They need to watch for data exfiltration, regularly review user accounts and publish the results of any audits they conduct.
Any employee accessing data that's not required of his or her job or department needs to be flagged, says Suzanne Widup, a senior analyst with Verizon Business and DBIR author. "It's all about knowing who has access to sensitive data," she says. Better that you discover fraud and nip it in the bud, she adds, than to have patients learn the hard way that they're victims of fraud.
The third most common cause of data breaches is almost unique to healthcare and government - so much so that the Verizon DBIR categorizes it as "miscellaneous errors" - and is all too familiar to industry observers. Think paper records that aren't shredded, CD-ROMs that aren't destroyed, X-rays that are nabbed by opportunistic crooks who want the silver that's inside, and mass mailings where a single mistake means thousands receive the wrong record.
Here, again, the solution isn't difficult: Data loss prevention software to monitor email or USB drives, for example, or a policy that treats old hardware like hazardous waste that only IT can dispose of properly.
Cyberattacks, Point-of-Sale Vulnerabilities Still Matter
Though neither point-of-sale (POS) hacks nor cyberattacks rank among healthcare's top data breach causes, Verizon Business and Symantec deem these respective vulnerabilities worthy of healthcare's attention.
Hospitals may use POS systems, for example, to collect copays or let cafeteria patrons pay for food. Many such systems are managed by third-parties; this makes them attractive to thieves, Widup says, as it gives them access to all of that vendor's customers.
To keep POS systems safe, the Verizon DBIR report recommends restrictions on remote access, enforced password policies, robust antivirus software and limits on additional uses - that means no social media sites or games.
As for cyberattacks, Symantec points to several, including the "professionalization" of zero-day threats (23 reported in 2013, more than 2011 and 2012 combined), ransomware (500 percent more prevalent in 2013 than 2012) and, of course, website vulnerabilities such as Heartbleed, which Haley already expects to be a focal point of Symantec's 2014 report.
Sign up for Computerworld eNewsletters.