Phishing, employee error still putting data at risk, but in-house detection is improving

Cybersecurity experts at BakerHostetler document some bright spots and areas for improvement for healthcare organizations.
By Deirdre Fulton
11:02 AM

Cyberattacks, especially those stemming from phishing schemes, continue to plague healthcare organizations, but some aspects of company response and employee awareness appear to be improving, according to this year's Data Security Incident Response Report from leading data privacy and cybersecurity law firm BakerHostetler.

WHY THIS MATTERS
Healthcare industry entities comprise one-quarter of incidents analyzed in the fifth annual report from Baker Hostetler, which is based on insights gained from working on more than 750 incidents or potential incidents in 2018. Health information was at risk in 33 percent of the incidents analyzed in the report, second only to social security numbers.

Thirty-seven percent of all incidents were traced to phishing, and fully 55 percent of incidents had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered. And though the number of incidents due to lost devices and inadvertent disclosures is going down, there is still work to be done, as these avoidable mistakes led to one-fourth of all incidents.

In-house detection capabilities appear to be improving. Whereas only 52 percent of incidents were detected internally in 2015, that number jumped to nearly 75 percent in 2018. Another bit of positive news for the healthcare sector: While the time from breach occurrence to discovery averages 66 days across all industries, it's just 36 days in healthcare. However, the healthcare sector is lagging slightly when it comes to containment and forensic analysis. Meanwhile, time from discovery to notification continues to climb for many organizations, jumping from an average of 40 days in recent years to 56 days in 2018 (49 days for healthcare entities).

BakerHostetler also documents increasing scrutiny from regulators and offers "basic steps that can be taken to drive incremental improvement in an entity's compliance and risk posture," ranging from enabling multi-factor authentication (MFA) to conducting tabletop exercises among key staff to prepare for potential incidents.

THE LARGER TREND
With healthcare IT systems vulnerable to everything from ransomware to nation-state cyberattacks, companies must learn from the misfortunes of others in order to plan, project resources, and prioritize areas for improvement. In line with other recent analyses, this report identifies incremental successes alongside persistent challenges, providing a road map for those who wish to leverage past incidents to prevent future breaches.

ON THE RECORD
"Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items," said Theodore J. Kobus III, head of BakerHostetler's privacy and data protection team. "Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor."
 

Deirdre Fulton is communications professional and freelancer based in Maine.

On Twitter: @deirdrefulton

Healthcare IT News is a HIMSS Media publication.