Facebook, Dropbox, Whatsapp. This is the just the beginning of a long list of services that would send a shiver down the spine of the CISO of any healthcare company. To the CISO’s eye, any one of these applications is a potential vector for a data breach, be it accidental or malicious. They are not wrong.
The healthcare industry is disproportionately affected by the “insider threat”, i.e. the data security risk posed by its own employees. Verizon’s 2018 Protected Health Information Data Breach Report showed that 58 percent of incidents in healthcare involve insiders, which is drastically above the all-industry average of 27 percent. In fact, healthcare is the only industry in which internal actors are the biggest threat to the organisation.
This is largely due to the nature of the healthcare industry. Doctors, nurses, and a multitude of administrative staff need rapid access to patient data – it can literally be the difference between life and death. However, easy access to data comes at the cost of misuse.
>See also: Top cloud security risks for healthcare
So, what is the nature of these insider incidents? In an analysis of the motives of the internal actors, financial gain is perhaps unsurprisingly top, however it is followed by fun/curiosity and necessary convenience.
A decent proportion of these incidents were simply due to employees putting sensitive data on unapproved devices and in apps – like Facebook, Whatsapp, and Dropbox – because it makes their jobs easier. We’re talking about staff taking pictures of patient charts, sending test results over messaging apps, storing patient information in their own personal documents and so on.
It’s worth noting that these are only the incidents that healthcare organisations are aware of, so those that were uncovered and reported. The sad likelihood is that these bad practices are probably more everyday than the industry would like to admit.
What can be done?
Faced with protecting some of the most sensitive data available, security teams must develop an approach to limit the risk of staff accidentally, or otherwise, downloading threats or uploading confidential data to unapproved services. Many CISOs opt for a lockdown approach, completely denying access to web services.
“Stopping” and “blocking” has long been the mantra of the security industry. However, as the Verizon results show, this does not resolve the problem. When it comes to using technology at work, staff will always look for the path of least resistance. If one site is blocked, they’ll use another, and this just leaves security teams chasing their tails as they try to keep up with the employee work-around of the day. In fact, blocking just encourages employees to spread the data wider and into more dangerous places.
>See also: Healthcare efficiency through technology
Instead, security teams need to bring their staff, and the apps they use, into the fold. This means, rather than completely blocking cloud services and websites, security teams should accept that staff are using applications and watch, monitor, and control how, across all of their devices. By applying the proper security measures: deep inspection of web traffic, URL classification, and control of feature actions, healthcare organisations can protect their organisations and help staff to get their jobs done.
A cultural shift in a modern healthcare environment
The suggestion of letting staff use their applications of choice is likely to have the board spluttering into their coffees. But we live in a modern world, which requires a cultural boardroom shift to match technological advances. The alternative – banning apps and blindly hoping staff aren’t using them – is simply naive.
Furthermore, by green-lighting some apps that improve productivity, it means that staff will be less tempted to move to more dangerous alternatives. When it comes to work applications, the devil you know is better than the devil you don’t.
>See also: Healthcare will become digitised by 2030
The good news is, that by getting this issue under control, healthcare organisations can vastly improve their security posture. With so many different threats for organisations to worry about, security teams are often pushed to prioritise which to address first. But given 58 percent of breaches originated with staff, that is well over half of all incidents that could have probably been prevented.
The first step is to get the communication channels under control, as they are a gateway out of the building for your sensitive data and a way in for hackers. Security teams can’t afford to leave those gates unlocked. Human error is something that hackers rely on time and time again so if you can protect your staff, you are going a long way to protecting your data.
Sourced by Ed Macnair, CEO of CensorNet