Are insiders more of a threat to patient privacy than outsider hackers? That seems to be the finding of a (limited) survey by Veriphyr, a security company that finds unauthorized access to the personal information that resides in IT systems, applications, or databases.
As reported in an article this week at Dark Reading, the survey found that some 71 percent of the health-care organizations it surveyed have experienced one or more data breaches in the past 12 months. Furthermore, according to Veriphyr's survey,
"Snooping into medical records of employees was the most commonly reported type of a breach (35%), followed by snooping into the records of friends' and relatives' records (27%), loss or theft of physical records (25%)."
As I have noted in previous blogs posts here and here, snooping into celebrity/VIP medical records is also a strong temptation. Some 6 percent of Veriphyr's survey respondents indicated that had happened in the past year.
In addition, more than 38 percent of the organizations surveyed indicated they had two or more data record breaches, and 20 percent reported they had three or more!
Detection of the data breaches was not always speedy. Although 16 percent said they discovered the breaches within one to three days, 18 percent said it took a week, 25 percent said it took two weeks to a month, 8 percent indicated it took one to two months, and 3 percent indicated it took even longer.
Some 79 percent of those surveyed also indicated that they were either "somewhat concerned" or "very concerned" that they could not detect data breaches in a timely manner.
Detecting the breach doesn't mean resolving it, either. Once a breach had been detected, 16 percent of Veriphyr's survey respondents indicated it took one to three days to investigate and resolve it; 18 percent said it could take up to a week, and 25 percent said it could take two weeks to a month.
A recent example of taking a long time to resolve a medical records breach involves California-based insurer Health Net. In March, I blogged about the computer servers that mysteriously went missing from Health Net's data center that contained the records of 1.9 million of its customers. Well, last month, Health Net indicated that the breach was larger than it first thought, although it seemingly won't fully disclose how much larger.
Reducing Veriphyr's survey's usefulness somewhat was that not one of the 90 respondents indicated that they had experienced unauthorized system or application access by an external threat. This result seems to contradict others who indicate that attacks on health-care organizations are increasing.
That said, there is an interesting list of 28 U.S. health record–related data breaches of the past six months here at Becker's Hospital Review. Only four or five seem related to external cyber threats; most are related to the loss or theft of equipment, or unauthorized insider access to records.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.