Healthcare providers are struggling to defend themselves against the fast evolving world of organized crime, according to a new study by Verizon.
The 2014 Data Breach Investigations Report found that theft and loss of devices is the most common security breach in healthcare. Most thefts occur outside the workplace, typically with the theft of a device from an employee’s car, but a significant portion are taken from the victim’s work area.
Tony Maupin, senior analyst and DBIR co-author at Verizon, says that in order to mitigate this risk there are three key actions that healthcare providers need to take.
“First, encrypt those devices, because if you encrypt the data then when they steal it all they have is a physical device and they can’t ever access the data,” he said.
“Secondly, you need security and awareness training. You need to teach your people that unless they need those devices they should not bring them into a restaurant or leave them in the back seat of a car. Lock them up, and keep them somewhere that they can’t be seen.”
Thirdly, he said that it is important to make sure the data is backed up and that the back-ups are encrypted.
He added that the second most common security problem in healthcare is insider misuse – typically when patient data is accessed for espionage or financial gain. Most of this is perpetrated by individuals based within the organization, not contractors or remote employees.
“It’s a huge surprise for organizations to find out that their managers, their finance department and their trusted end users are responsible. They almost always believe it’s the developers, the systems administrators and the temporary employees. It’s the exact opposite of that,” he said.
In order to minimise the risk of this occurring it is important to limit the access that each member of staff is given.
“Look at people’s roles and responsibilities within the organization and start to take a pessimistic stance towards security,” he said. “Lock down peoples credentials to match the jobs that they’re doing so they only have access to what they’re supposed to.”
Verizon, 2014 Data Breach Investigations Report, Tony Maupin, US