Analysis by Egress shows human element is a cybersecurity weaknesses in healthcare and beyond
Egress Software Technologies, a leading provider of data security services, has revealed that the UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016. In total, healthcare organisations suffered 2,447 incidents and accounted for 43 per cent of all reported incidents in the time period. By comparison, the second highest was local government, with 642 reported incidents – an 11 per cent share. The data, received from the Information Commissioner’s office, also shows that human error accounts for the almost half of these incidents across every sector.
In its analysis of the data, Egress found a clear spike in data breach incidents within UK healthcare organisations. Comparing the last quarter (October – December) of the past three years, healthcare organisations were found to consistently top the list for data breach incidents. Furthermore, the number of incidents rose year on year, with a 20 per cent increase, from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016.
Critically, the findings showed that the many of these incidents are attributed to human error, rather than external threat. Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were:
1. Theft or loss of paperwork – 24 per cent
2. [Other principle 7 failure] – 22 per cent
3. Data faxed/posted to incorrect recipient – 19 per cent
4. Data sent by email to incorrect recipient – 9 per cent
5. Failure to redact data – 5 per cent
“Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus,” said Tony Pepper, CEO and co-founder of Egress Software Technologies. “While it’s clear there is a security problem in healthcare, these figures show that it is as much about internal activity as external threat.
“There’s no doubt that someone inadvertently emailing a spreadsheet containing sensitive patient details to the wrong person isn’t as good a headline as a ransomware attack, but that does not diminish the threat it poses.”
● While healthcare had the highest volume of incidents, others are increasing more rapidly. Across all sectors, the total number of security incidents reported has increased by almost one-third (32 per cent) since 2014.
● The courts and justice sector has experienced the most significant increase in incidents, a 290 per cent hike since 2014, placing it in the top five worst affected industries by the last quarter of 2016.
● Other significant increases can be seen in the central government and finance industries, with 33 per cent and 44 per cent increases, respectively.
● The ‘human element’ – where internal staff have made mistakes – accounted for almost half of total data breach incidents: 44 per cent October-December 2014, 43 per cent 2015, 49 per cent 2016.
● Data shared in error is the single highest contributor to breaches year-on-year resulting from human error, annually, causing roughly one-third of incidents (31 per cent 2014, 34 per cent 2015, 31 per cent 2016).
“We are all aware that security incidents are rising, but many may not suspect how large a proportion of these are down to error and lack of control over sensitive data,” continued Pepper. “What the information from the ICO makes clear is that all businesses need to do more to better protect sensitive information. Meeting this challenge requires a combination of improved employee training and the communication of risks, and the deployment of the right technologies to minimise the number opportunities available for human error to take hold.”