COVID VaccinesReturn to WorkMental Health

Why Is Health Care Cybersecurity So Bad? Blame the Insiders, New Verizon Report Says

March 2, 2018, 8:57 PM UTC
Hacker, cyborg programmer on a computer
Photograph by Getty Images/iStockphoto

It’s no secret that health care is particularly vulnerable to cyberattacks when compared with other industries. But a new cybersecurity report from Verizon outlines the stunning degree to which internal actors are responsible for health care data breach threats—whether for personal gain or through sheer human error.

“Health care is the only industry in which internal actors are the biggest threat to an organization,” wrote the report authors. “Often they are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent).”

The assessment goes on to note that employee practices are a big part of the problem, too. In fact, pure human error—including misdelivery of personal health information, disposing of sensitive data in an improper manner (including by not shredding up paper documents), and publishing information on platforms that have a wider-than-intended audience, made up more than a third of the “threat actions” identified by Verizon. The widespread use of paper documents in the medical system is a big part of the problem; information may get sent to the wrong place, or thrown away into bins that could open up unintended access. But that’s not to say there isn’t medical malice at work, too.

Subscribe to Brainstorm Health Daily, our newsletter about the most exciting health innovations.

“From a standpoint of internal actors, the access that healthcare workers have to personal information of patients affords a convenient means to commit fraud of various types (for example tax return fraud or opening lines of credit),” wrote the authors. “Insiders are also frequently prone to curiosity, and the accessing of patient data outside of their job responsibilities is reflected in the 94 instances where fun is the motive behind the data breach.”

Those are some troubling findings given that health care is also particularly vulnerable to ransomware due to the wealth of highly personal medical and financial information contained in such records. As we’ve covered before, nearly three-quarters of all 2016 malware attacks analyzed by Verizon were ransomware, in which sensitive information is held hostage in exchange for digital recompense.

Verizon has a number of suggestions for addressing these threats, including better practices when it comes to securing passwords, disposing of data responsibly, and training employees to not get suckered by malicious phishing emails (you can read the full report here). The conclusion, overall, is a daunting one: “Note that none of these [threats] are mutually exclusive and it’s normal for several threat action categories and multiple threat action varieties to be present in an incident or breach event chain, just as it’s possible for a person to be suffering from more than one illness at once.”