Healthcare organizations stand out in new data breach report

Healthcare organizations made up 15% of all data breach victims in this year’s Verizon Data Breach Investigations Report, which analyzed data from over 40,000 security incidents and 2,000 data breaches worldwide. In the report, healthcare also stood out as the only industry where the majority of data breaches were caused by insiders, or “internal actors” – those who have already been granted database access to do their jobs. Effectively monitoring and flagging unauthorized access to data is a matter of real concern in this space. Preparing to communicate around these types of incidents is also critical, considering healthcare breaches can generate significant reputational impacts given the potential sensitivity of information involved.

Within the healthcare industry, the report found:

• Data compromised included medical (72%), personal (34%) and credentials (25%);
• Top motives were classified as financial (83%), followed by fun (6%), convenience (3%), grudge (3%), and espionage (2%);
• 81% of all healthcare cybersecurity incidents involved miscellaneous errors (e.g., software misconfiguration), privilege misuse and web applications.

The industry is also not immune to other common problems across the cybersecurity space, including phishing emails or misdelivery (sending data to the wrong recipient). Yet these incidents can be far more complex in the healthcare realm due to the highly sensitive nature of data involved, and can impact public trust in an organization.

Regardless of defense measures put in place by security professionals, data breaches continue to make headlines around the world. So how should healthcare organizations be best prepared?

1. Understand the regulatory environment: The evolving regulatory landscape around data security and privacy in Canada means organizations may be under legal obligations to report breaches and notify impacted stakeholders in the event of an incident -- and these communications could generate reputational exposure for a trusted healthcare organization.
2. Have a proactive dialogue around privacy: Develop a core privacy narrative that enables your healthcare organization to frame the conversation, demonstrate good governance, and highlight your commitment to data security best practices.
3. Plan for a data security incident: Develop a data incident communications response plan that guides communication with key stakeholders, including patients or customers, employees, business partners, government officials, and media.
4. Practice, practice, practice: The communications response team should simulate a high-risk, high-probability scenario that tests the response plan and bolsters team performance.

Edelman is the only communications firm in Canada with a dedicated Data Security & Privacy practice group, and we have extensive experience working alongside cybersecurity forensics, insurance, privacy and legal teams. We help some of BC’s largest healthcare organizations prepare for data security and privacy incidents, including developing response plans and conducting training sessions around high-risk scenarios.

#cybersecurity #healthdata #healthcare #healthcarecommunications #YVR