More than 9 out of 10 health-care data breaches affecting 500 or more individuals published on the U.S. Department of Health & Human Services website were caused by organizations’ own employees, not hackers. Virtually every complaint of privacy violations investigated by the Office for Civil Rights (OCR), a division of the HHS, and resulting in corrective actions involved unintentional or malicious violations by employees.

While organizations fret over the next cyber attack, more than 50% health-care breaches are due to lost or stolen laptops, backup tapes, and mobile devices containing unencrypted data. Then there are the everyday human errors that happen at companies in every industry, like a worker leaving the door to the server room unlocked and putting passwords on a sticky note under the keyboard.

Even the majority of health data breaches that are categorized as “IT Incidents/Hackers” are the result of employees clicking on phishing messages or succumbing to social engineering.

There are several reasons why these things occur, some of which are unintentional — and some that are very intentional and malicious. On the unintended side, lack of specific training and security awareness is a primary contributor. On the intentional or malicious side, there are financial gains from selling the information or exposing it to the media, not to mention, in health care, the possibility of free medical care and prescription access to narcotics.

What steps can a CFO take to protect against both kinds of incidents?

  • Develop specific policies and procedures regarding the handling of proprietary or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
  • Improve training. Many organizations think that a general 30-minute online information-security training followed by 10 questions is sufficient for employees to know what they should do in a given situation. However, the lack of specificity to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
  • Ensure only the minimum necessary access to the information. Organizations need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most damaging impact on an organization can be caused by a disgruntled employee who is terminated from the organization, yet his or her access to information is not cut off in a timely fashion.
  • Communicate and apply consistent sanctions for information privacy or security violations. If there is no punishment for accessing or sharing information, people are more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures.  An organization can suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
  • Monitor employee activity. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities.
  • Ensure adequate oversight or governance of information security programs. This is necessary to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.

Ninety percent of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own employees and business associates. By taking the actions outlined above, a company can greatly reduce the likelihood of these internal breaches – both the careless mistakes and the malicious acts.

Mary A. Chaput is CFO of Clearwater Compliance in Nashville, Tennessee.

, , , , ,

3 responses to “6 Ways to Combat Internal Threats to Data Security”

  1. I agree that “Ninety percent of an organization’s data breaches are due to ‘friendly fire’ – the mistakes and transgressions of the business’s own employees and business associates.”

    We are seeing a number of common issues across recent data breaches, stealing our most sensitive data, and I think it is time to re-think our security approach and be more data-centric.

    Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

    Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”

    I think that policies should be automatically enforced.

    Ulf Mattsson, CTO Protegrity

  2. Nowadays, not only health-care but every organisations are concerned by internal data breaches threats. 73% of large and 41% of small UK businesses had a staff-related security breach in 2014 (Study by the Department for Business, Innovation and Skills).

    Two of the most notorious information security breaches in modern times involved data stolen from SharePoint systems. Bradley Manning (WikiLeaks) and Edward Snowden (NSA) simply downloaded and leaked SharePoint document libraries full of data, causing damage of incalculable proportions. Even the US military, with their virtually unlimited budget could not keep SharePoint security under control!

    Organisations need to ensure minimum necessary access to the information by regularly monitoring and updating these accesses. However, it is time consuming to set up and can get easily and quickly out of control as people move around the evolving organisation. Access are easily granted, but rarely removed when no longer appropriate.

    As a result, people accumulate access to information they should not have. The risk of serious security incident grows every day.

    This is why at Torsion, we transformed SharePoint into a truly security-first Enterprise Content Management platform. We’ve completely reimagined security in SharePoint around the needs of the organisation, based on established Information Security best practices.
    Peter Bradley
    CEO & Principal Architect
    Torsion Information Security

Leave a Reply

Your email address will not be published. Required fields are marked *