Healthcare Data Security

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Posted by HIPAA Journal

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk.

More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management.

The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch.

George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access management initiatives and ensures Kaiser Permanente continues to protect the ePHi of its 10.2 million members. Decesare will be explain the current healthcare threat landscape and will be offering invaluable advice to attendees on how they can secure their own networks from attack. He will also be offering an overview of how Kaiser Permanente operates its cybersecurity programs and manages risk.

While patients were previously tied to a healthcare organization, now they are able to easily change providers. Many do following a cybersecurity breach that exposes their health information. Jane Harper will be explaining the importance of including consumerism in risk management probability models and will cover techniques for risk management and how changes in healthcare have affected the risk environment.

Matt Trevors will be explaining how healthcare organizations can develop security controls that meet the requirements of the HIPAA Security Rule. In his speech, Trevors will explain whether simply meeting HIPAA Security Rule requirements will be sufficient to prevent data breaches. Trevors will also explain how healthcare organizations can use the Center for Internet Security’s Critical Security Controls (CIS CSC) to help them meet HIPAA Security Rule requirements and will offer advice on the Cyber Resilience Review (CRR) – A free tool that can be used by healthcare organizations to assess their security programs.

M.K. Palmore will be providing an invaluable insight into the current healthcare cybersecurity threat landscape, including an up-to-the-minute overview of the latest threats, including phishing attacks, insider threats, and business email compromise scams. Palmore will be covering some of the recent FBI investigations and will explain how breaches occurred and how they could have been prevented.  Palmore will also explain how healthcare organizations can access the FBI’s considerable resources and use its data to prevent data breaches.

The HIMSS Privacy and Security Forum will be taking place at the Grand Hyatt Union Square, on May 11-12, 2017. Further information can be found on this link.

The post HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape appeared first on HIPAA Journal.

OCR Director Stresses Importance of Keeping Health Data Secure

Posted by HIPAA Journal

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip.

OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered entities are discovered to have committed serious violations of HIPAA Rules.

Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.”

Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains confidential. He also referenced the introduction of HITECH explaining how it increased the allowable fines for non-compliance with HIPAA Rules.

Ransomware attacks have attracted his interest. While ransomware is mostly used to extort money from healthcare providers, Severino pointed out that ransomware attacks can result in “data being compromised, destroyed, gone for ever,” and confirmed that “it’s very likely the organizations will have to report it to OCR.”  As with all breaches impacting more than 500 individuals, ransomware attacks will be investigated. OCR could fine organisations that fail to implement defences against ransomware and ensure all sensitive data are backed up.

Enforcement of HIPAA Rules is only one aspect of Severino’s job. Severino is also committed to promoting interoperability and data sharing, but emphasized that data security is an essential element of data sharing. He said a culture of trust must be developed to support the safe exchange of healthcare data.

Severino also confirmed that emerging technologies can be used within the confines of HIPAA Rules to improve data sharing with consumers. OCR will be offering assistance to covered entities in this regard, to help them use new technology while keeping data secure and protecting patient privacy. OCR will also be taking steps to ensure that covered entities are made aware about the difference between covered and non-covered entities and the data that covered entities are permitted to disclosed.

The post OCR Director Stresses Importance of Keeping Health Data Secure appeared first on HIPAA Journal.

Healthcare is The Only Industry Where Insiders Pose the Biggest Threat

Posted by HIPAA Journal

Verizon has published its 2017 Data Breach Investigations Report proving an insight into the world of cybersecurity, data breaches, and the current threat landscape.

This is the tenth installment of the report, which this year includes data collected 65 organizations, 42,068 separate cybersecurity incidents and 1,935 data breaches experienced by organizations in 84 countries.

Majority of Attackers are Opportunistic Hunters Looking for Vulnerabilities

While large organizations are big targets and face a higher than average risk of experiencing a data breach, the Verizon report shows that all organizations are at risk of cyberattacks. 61% of data breaches occurred at organizations with less than 1,000 employees.

Targeted attacks on organizations do occur, but the majority of cybercriminals are opportunistic. Hackers gain access to systems and data as a result of unplugged vulnerabilities, errors made by employees and poor choices of cybersecurity solutions that fail to protect against the latest threats.

One of the most important messages from the report is organizations need to choose their cybersecurity solutions carefully and not rely on solutions that have served them well in the past. The threat landscape is constantly changing so it is essential that security solutions are regularly evaluated to make sure they continue to protect against the latest threats. Just because cybersecurity solutions have worked well in the past does not mean they will continue to be effective in the future.

Even the most advanced cybersecurity defenses can be undone by simple errors and poor security practices. Take passwords for example. The report shows that 81% of hacking related breaches leveraged stolen and/or weak passwords.

Controls should be put in place forcing users to choose strong passwords. Users should also be forced to change their passwords regularly. IT departments often criticize employees for being careless and having a lack of basic security awareness, yet many breaches result from IT staff failing to change default passwords. These basic errors must be corrected across the board.

In 66% of cases, malware infections occurred as a result of employees opening infected email attachments and one in 14 employees either opened an infected email attachment or clicked on a malicious link in an email. Training should cover the high risk of attack via email and end users should be trained how to spot phishing emails and instructed not to open attachments or click on links sent from unknown individuals. However single training sessions are insufficient. Regular refresher training sessions should conducted to reinforce the importance of being more security aware.

Healthcare is the Only Industry Where the Biggest Threat is Insiders

Healthcare data breaches have increased in the past year, although the industry is not the most attacked sector. Healthcare data breaches accounted for 15% of the total with financial institutions the worst hit, registering 24% of breaches.

Hacking continues to be a major cause of data breaches, accounting for 62% of the total. Malware was involved in 51% of incidents, and 43% of attacks involved social media. The report shows that ransomware attacks are an ever present threat, with incidents increasing by 50% in the past year.

Insiders are a major risk. Across all industries, 75% of breaches involved outsiders and 25% of attacks involved internal actors. However, that was not the case for the healthcare industry where 68% of breaches were internal – The only industry where the biggest threat to data security comes from within.

81% of healthcare data breaches involved either the loss or theft of equipment/documents, insider and privilege misuse or unintentional errors by employees. As recent OCR breach reports have shown, the loss and theft of electronic devices continues to be a major cause of healthcare data breaches.

The Protenus Breach Barometer report for March 2017 shows that theft and loss incidents accounted for 21% of reported data breaches – the third highest cause – yet those incidents resulted in the exposure of the most records.

The use of data encryption can prevent the loss or theft of electronic equipment resulting in the exposure or disclosure of data. However, as Verizon points out, many incidents involve the loss of documents, for which encryption is no use. It is important not to forget in this electronic age that many breaches involve paper records.

Training on privacy and security along with updates to policies and procedures can help to tackle the loss and theft of physical PHI. As far as is possible, employees should be discouraged from printing documents containing sensitive information.

The post Healthcare is The Only Industry Where Insiders Pose the Biggest Threat appeared first on HIPAA Journal.

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

Posted by HIPAA Journal

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee.

This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised.

The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012.

A WHS employee was on route to a health fair in a WHS-owned vehicle on February 7, 2017 when the vehicle was stolen. The flash drive had been left in the van. In this case, the flash drive was password protected, although WHS determined on February 15, 2017 that encryption had not been used on the device. The theft was reported to law enforcement, but the vehicle and flash drive have not been recovered.

WHS has not received any reports suggesting data on the device have been accessed or used inappropriately, although an impermissible disclosure could not be ruled out.  In response to the incident, WHS has taken steps to enhance its procedures relating to the storage of sensitive data on mobile devices and employees have been retrained on safeguarding sensitive information. Individuals affected by the breach have also been offered credit monitoring and identity theft protection services out of an abundance of caution.

The CardioNet, Lifespan, and WHS breaches could all have been prevented if encryption had been used. If an encrypted device is lost or stolen, the incident does not need to be reported to OCR, patients do not need to be notified, and most importantly, patients’ ePHI will not be exposed if devices are lost or stolen.

While HIPAA Rules do not require encryption to be used to protect ePHI on portable storage devices, if the decision is taken not to use encryption, an equivalent safeguard must be used.

While the use of a strong password may prevent data being accessed by thieves, it would not be sufficient to prevent a determined individual from gaining access to a device. A strong password is therefore not a safeguard equivalent to encryption. OCR would determine the use of a password – rather than encryption – to be a violation of the HIPAA Security Rule.

The simple solution to ensure that ePHI is safeguarded is to use encryption (following NIST recommendations) on all portable devices used to store ePHI. While encryption carries a cost, it is likely to be much cheaper than an OCR fine. The decision not to encrypt data on portable storage devices ended up costing CardioNet $2.5 million.

The post Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen appeared first on HIPAA Journal.

WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

Posted by HIPAA Journal

A Webroot AV update failure has caused havoc for thousands of customers. The antivirus solution identifies potentially malicious files and moves them to a quarantine folder where they can do no harm. However, an April 24 update saw swathes of critical files miscategorized as malicious. While the occasional false positives can be expected on occasion, in this case the error was severe.

The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running.

The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses.

Webroot AV also started miscategorizing websites as malicious, preventing them from being accessed. One notable example was Facebook, which was categorized as a phishing website and was blocked. Bloomberg also had its website miscategorized as a phishing website.

The Webroot AV update failure was quickly identified and corrected. The problem occurred between 7PM and 9PM UTC, with the update live for just 13 minutes according to SwiftonSecurity. While the update was only available for under 15 minutes, many thousands of customers downloaded the update.

The extent of the problem became rapidly apparent. The company’s forum was swamped with complaints from customers and social media was awash with comments from frantic IT admins and MSPs that had started receiving huge numbers of support calls. Webroot worked rapidly to fix the issue and while the Facebook blocking problem has been fixed, many users are still experiencing problems.

Webroot issued a set of instructions that will allow customers to restore the quarantined files and prevent those files from being quarantined again, although the instructions will only help home edition users. Businesses using Webroot AV have yet to be provided with a fix to restore system files. Webroot is currently working to correct the problem on business clients’ systems and develop a universal fix for all of its clients.

Instructions to repair the issue on Webroot home editions was published on the Webroot community forums:

Customers Turn to Twitter to Express Their Frustration About Webroot AV Update Failure

Many users took to Twitter to express their frustration about the Webroot AV update failure. Bob Ripley (@M5_Driver) said “I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?”

While many used humor, the frustration caused by the update was clear. @Limbaughnomicon said “This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!”

While many users were complaining that essential Windows system files had been nuked, that was far from the only problem. Many other files were also miscategorised. The update took many business apps out of action, causing considerable headaches and loss of revenue. @Davedevery said, “I work for a small software company, Webroot has targeted our EXE and is removing it from pcs. Is there anyway to do like a blanket exclusion.”

iSupportU tweeted, “@Webroot everything is breaking, money is flying out the window… where are you? I have been on hold 20+min.”

Splumlee said “This is taking out all of the MSPs. Specifically we are losing almost all .EXE files across all of our clients.”

The post WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

68% of Healthcare Employees Would Share Regulated Data

Posted by HIPAA Journal

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances.

The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is occurring.

The survey was conducted on 2,608 individuals whose job duties involve handling confidential information. Across all industries, an alarming 72% of employees said they would willingly share sensitive information. 68% of healthcare employees who took part in the survey also confirmed that they would share PHI without authorization under certain circumstances.

Dell explains that in most cases, unauthorized sharing of confidential data is not malicious. It occurs when employees are trying to be more efficient and work as effectively as possible. Unfortunately, however, in an effort to get more work completed in less time, those employees are taking considerable security risks. In the case of healthcare employees, those actions could potentially violate the privacy of patients and result in their organization facing a significant HIPAA penalty.

Across all industries, 43% of employees would share sensitive, confidential data if they were directed to do so by management and 37% would share data with a person that was authorized to receive it. As Dell points out, this is why cybercriminals pose as trusted individuals and why business email compromise is so effective.

Other situations when employees would share data include if the risk was low and the benefit was high (23%), if it would allow them to perform their job more effectively (22%) and if it made the recipient of the information able to work more effectively (13%).

Dell explains that employees make the decision to share data independently and that they assess the risks and benefits of doing so on a case by case basis and points out that it is up to organizations to put policies and procedures in place to define the circumstances under which information can be shared. However, it is also important to ensure that employees are aware that when data are shared, it happens in a secure fashion.

Some of the most common security risks taken by the respondents who work in highly regulated industries such as finance and healthcare were using personal email accounts to send confidential information – 52% of respondents – and accessing confidential data via public Wi-Fi hotspots – 48% of respondents.

35% of respondents said it was common to take confidential work information with them when they changed employment. When that does occur, 61% used a USB drive and 56% sent the information to a personal email account.

Other risky behaviors involved using work-issued devices to access personal social media accounts – 46% of respondents – and using public cloud services to store or save their work – 56% of respondents.

The survey revealed that two out of three employees feel it is their own responsibility to educate themselves on possible risks, rather than being told by their company. However, while training on cybersecurity is important, it is not 100% effective. Even when provided with training on best practices, 24% of trained employees said they still engaged in unsafe behavior in order to get their work done.

The post 68% of Healthcare Employees Would Share Regulated Data appeared first on HIPAA Journal.

Poor Security Awareness Greatest Threat to Healthcare Data Security

Posted by HIPAA Journal

A recent survey conducted by HIMSS Analytics for the 2017 Level 3 Healthcare Security Study has shown that the biggest concern regarding healthcare data security is a lack of employee security awareness.

The Level 3 Communications, Inc., sponsored survey was conducted on 125 healthcare IT executives and IT professionals, including directors, IT managers, IT security officers and other IT staff. The aim of the study was to provide insight into the main high level security concerns within the healthcare industry.

The majority of respondents – 85% – said they had education programs that taught employees to be more security aware, although that was not enough to ease concerns. A lack of employee security awareness was the top-rated concern, with more than 78% of respondents saying employee security awareness was one of the main concerns regarding exposure to threats.

Employees are considered the weakest link in the security chain and with good reason. As last month’s Healthcare Breach Barometer report from Protenus shows, insiders are the biggest cause of healthcare data breaches. In March 2017, 44% of reported healthcare data breaches were due to insiders – a mix of errors and deliberate breaches. While there are always going to be bad apples, all too frequently, mistakes are made that result in the door being opened to attackers.

Other key concerns were exposure from third-parties and partners, which was rated as a top concern by 69% of respondents. Securing BYOD and wireless devices was a major concern for 54% of respondents, while having a lack of actionable threat intelligence was a top concern for 39% of respondents.

When asked about the main barriers that hampered organizations’ attempts to develop a comprehensive security program, competing priorities was the main issue, closely followed by budgetary constraints, rated by 79% and 74% of respondents respectively. The impact to clinical workflows, employee awareness and training, and a lack of in-house expertise made up the top five.

The survey revealed the majority of organizations are using multiple risk mitigation practices, with 87% using remote access and secure access controls, 85% relying on security awareness programs for employees and 75% using security consulting services, vulnerability assessments and penetration tests to uncover potential weak points in their cybersecurity defences. Six out of ten organizations have now implemented next-generation firewalls and more than half of respondents have also implemented DDoS mitigation services (56%) and access cyber threat intelligence (55%).

When asked to rate their level of concern about experiencing a security breach in the next 12 months, only 1.6% of respondents said they had no concern at all. 36% said they had a high level of concern.

Chris Richter, ‎SVP, Global Security Services for Level 3, said “The security threats the healthcare industry is facing are real and they’re only increasing in volume and sophistication as bad actors continue to seek out coveted protected health information.”

Richter said it is important to foster and maintain a culture of security and to ensure employees receive regular security training, but additionally, “healthcare organizations should implement a security governance framework and appropriate technology controls.” Those controls should include “threat intelligence, DDoS mitigation and next generation firewalling and sandboxing.”

The post Poor Security Awareness Greatest Threat to Healthcare Data Security appeared first on HIPAA Journal.