Healthcare organizations seeking to reduce the risk of data breaches should reduce how much protected health information (PHI) they put on paper, while also stepping up “holistic” risk management efforts, according to a recent report.

Those steps can help address a unique aspect of data breaches in healthcare organizations. The 2018 Protected Health Information Data Breach Report from Verizon indicates that healthcare is the only industry where insiders accounted for the biggest threat to sensitive data. Fifty-eight percent of healthcare data breaches were attributed to employees, the report says.

Verizon analyzed 1,368 security incidents across 27 countries, finding that 33.5% of threat actions were from error and 29.5% were misuse. Physical threats accounted for 16.3%. Hacking and malware, the methods that tend to get the most media attention, accounted for only 14.8% and 10.8%, respectively.

Paper records were most often involved in errors. In error incidents involving unintentional actions directly compromising information, 38.2% were caused by misdelivery and 17.2% were attributed to disposal error.

Employees also abuse their access privileges. Of all incidents involving unapproved or malicious use of organizational resources, two-thirds came from privilege abuse, the report says.

“Access to a great deal of sensitive information is necessary for healthcare professionals to successfully carry out their duties. But along with that access comes the relatively easy ability to abuse it,” the report authors wrote. “Due to HHS regulations, ransomware outbreaks are to be treated as breaches (rather than data at risk) for reporting purposes. That poses the question: Is it that healthcare organizations are doing a poor job of preventing ransomware attacks, or does it only appear that way because they are required to report them all and other industries aren’t?”

In social attacks, which involved hackers targeting privileged individuals to gain access, 70% involved phishing and 11.7% involved pretexting. The researchers describe pretexting as “when the criminal emails, calls, or otherwise engages an employee in a conversation with end goals such as duping the employee into providing them with their username and password or other sensitive data.”

The Verizon report is available online at: