DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Reducing insider breaches – what works?

Posted on January 2, 2013 by Dissent

Over the past year, I’ve had the opportunity to talk to a number of people in different organizations who are concerned with insider breaches in the health care sector.  One of those people is Kurt Long, CEO and Founder of FairWarning, a firm that provides patient privacy monitoring (privacy breach detection) systems.

So, here’s a little pop quiz to start this post:

  1. What percent of insider breaches are reduced by employee training on HIPAA and review of access policies?
  2. What percent of insider breaches can be reduced by installing monitoring software?
  3. What percent of insider breaches can be reduced if you actually enforce policies and discipline employees?

Ready for his answers?

According to data compiled by FairWarning using before-and-after data on their clients:

  • Employee training can reduce insider breaches by 58%
  • Monitoring the network for improper access is crucial, but may not significantly change the culture until combined with
  • Disciplining or sanctioning employees, which effectively communicates that employee access is being monitored and inappropriate access will have serious consequences.

Monitoring and enforcement can reduce insider breaches by another 40%.

Overall, within a 6-month period, FairWarning’s clients experience an 85- 98% reduction in insider breaches, Long says.

That’s good advertising for them, and I’m sure readers will point out that their statistics, based on a non-random sample, may be somewhat self-serving. But their findings should also be food for thought for your practice or organization.

This past year, I blogged a lot about  insider breaches in the healthcare sector. While strengthening firewalls against external threats is critical, as is training employees not to fall for phishing schemes and not to leave PII on unencrypted devices in unattended vehicles, some of the standard security precautions – like encrypting PHI – really do nothing to reduce breaches by those who are authorized to access patient data. FairWarning’s data suggest that a strong employee training program combined with monitoring access and making a point of enforcing discipline so that everyone gets the message might reduce the vast majority of insider privacy breaches.

But while creating a culture in which employees understand that they might or will lose their jobs for inappropriate access is important, I think it’s also crucial that those in the health care sector see more examples of employees being criminally prosecuted for snooping or other inappropriate access. California has been in the forefront of pursuing cases of snooping, while the federal government has been in the forefront of prosecuting cases involving patient data used for Medicare fraud and tax refund fraud.  Unfortunately, many prosecutions for  fraud do not name the hospital or health care provider whose employee(s) engaged in illegal conduct. Perhaps if they did, organizations of all sizes would be more concerned about potential reputation harm and would take more aggressive steps to prevent insider breaches. Even if an entity is not named, however, such breaches can incur significant breach costs and affect patients’ confidence or trust in the entity to protect their sensitive information.

So what will your organization be doing in 2013 to reduce insider breaches?  And if your organization has implemented some effective strategies to reduce insider breaches, what are those strategies?

Category: Health Data

Post navigation

← Arabic News site Durar Shamiya Hacked, 50,000 Accounts Leaked
Tutu Foundation UK Hacked, Defaced by @SatanSec →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.