Verizon 2014 Data Breach Investigation Report: Key findings on insider misuse and human error

Verizon’s 2014 Data Breach Investigations Report categorized 63,000 security incidents from 95 countries into 9 categories of causes.

For the healthcare organizations surveyed, just 3 of those categories accounted for 73% of the security incidents experience—Theft and Loss (46%), Insider and Privilege Misuse (15%) and Miscellaneous Errors (12%).Our thoughts about Theft and Loss, the largest category for healthcare security incidents, are in our earlier post.

The Insider and privilege misuse category, which accounted for 15^% of the security incidents in healthcare, covers situations when employees, ex-employees and partners with access rights use their privileges to access data, either physically (i.e. paper records) or over the network (i.e. digitally).  The majority of security incidents of insider misuse—85% —took place using the corporate network.

Verizon recommends the following steps to protect your organization:

1. Know your data. You can’t protect data if you don’t know where it is and who has access it to it.
2. Review user accounts. Implement processes to continually monitor user and system behavior, as well as revoking access when users leave the organization or change roles.
3. Implement DLP.Data loss prevention software blocks sensitive information from being sent via email.
4. Publish anonymized results of audits. A continuous monitoring program is more effective when employees can see that policies have actually been enforced.

Miscellaneous errors accounted for 12% of the healthcare industry security incidents analyzed. This category covers any mistake that results in a security compromise; such as posting private data to public sites, sending protected health information to the wrong recipients, or failing to dispose of assets securely.

Human error can never be eradicated from the workplace.  However, Verizon recommends the following controls and technology changes to reduce the likelihood of such errors creating a breach of protected health information and potential PR nightmare for your organization:

1. Strengthen controls on publishing. Scan public-facing sites regularly for sensitive data and tighten security controls around posting documents to websites.
2. Train staff about proper data disposal methods.  Employees must understand that paper documents containing sensitive information and/or electronic equipment cannot simply be tossed in the dumpster.

These incident patterns identified point to common practices by employees and criminals that most standard risk remediation practices can address.