Thousands of people in Kansas are being notified that their protected health information (PHI) has been shared in a way it should not have been.
And it validates findings in a new study on privacy and cybersecurity.
Employee shares protected health information
The Kansas Department for Aging and Disability Services (KDADS) says an employee shared patient information with agency business associates without approval. And that employee sent the info through email.
"The email contained an attachment which included consumer names, addresses, dates of birth, Social Security numbers, gender, in-home services program participation information and Medicaid identification numbers."
The email and attachment shared protected health information of 11,000 Kansans.
Lesson from Kansas: How is KDADS protecting its client data, and what does its IAM program look like? Do you have PHI or access to it in the hands of employees who do not need it?
Did this employee need to have access to this information in the first place? If not, this whole situation could have been avoided.
Healthcare: only industry where insiders cause most of the breaches
We still don't know why the employee sent the information. Was it with malicious intent? Was it simply an accident, or perhaps just a time saver?
Regardless, the case backs up Verizon's new report on cybersecurity in healthcare. The study found that most of the data compromise happening in the healthcare industry is from an insider.
"58 percent of incidents involved insiders. Healthcare is the only industry in which internal actors are the biggest threat to an organization. Often they are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent)."
Ponemon on insider threat risk and costs
We'll be seeing Dr. Larry Ponemon as he keynotes SecureWorld Boston on March 14-15, 2018. I interviewed him recently about insider threats, and he explained why it tends to get downplayed in many organizations:
"Insider threats are not viewed as seriously as external threats, like a cyber attack. But when comapnies had an insider threat, often, they were much more costly than external incidents. And companies err on the side of goodness; they don't want to accuse somebody without full evidence of a crime, so they write it off as negligence."
What Kansas case means for InfoSec
Although we still have unanswered questions in the Kansas case, one thing is very clear:
InfoSec teams in healthcare have their work cut out for them as they try to train the business to stop the internal bleeding of patient data.
