Egress Software Technologies, a leading provider of data security services, has revealed that the UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016. In total, healthcare organisations suffered 2,447 incidents and accounted for 43 percent of all reported incidents in the time period. By comparison, the second highest was local government, with 642 reported incidents – an 11 percent share. The data, received from the Information Commissioner’s office, also shows that human error accounts for the almost half of these incidents across every sector.
In its analysis of the data, Egress found a clear spike in data breach incidents within UK healthcare organisations. Comparing the last quarter (October – December) of the past three years, healthcare organisations were found to consistently top the list for data breach incidents. Furthermore, the number of incidents rose year on year, with a 20 percent increase, from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016.
Critically, the findings showed that the many of these incidents are attributed to human error, rather than external threat. Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were:
- Theft or loss of paperwork – 24 percent
- [Other principle 7 failure] – 22 percent[1]
- Data faxed/posted to incorrect recipient – 19 percent
- Data sent by email to incorrect recipient – 9 percent
- Failure to redact data – 5 percent
“Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus,” said Tony Pepper, CEO and co-founder of Egress Software Technologies. “While it’s clear there is a security problem in healthcare, these figures show that it is as much about internal activity as external threat.
“There’s no doubt that someone inadvertently emailing a spreadsheet containing sensitive patient details to the wrong person isn’t as good a headline as a ransomware attack, but that does not diminish the threat it poses.”
Additional findings:
- While healthcare had the highest volume of incidents, others are increasing more rapidly. Across all sectors, the total number of security incidents reported has increased by almost one-third (32 percent) since 2014.
- The courts and justice sector has experienced the most significant increase in incidents, a 290 percent hike since 2014, placing it in the top five worst affected industries by the last quarter of 2016.
- Other significant increases can be seen in the central government and finance industries, with 33 percent and 44 percent increases, respectively.
- The ‘human element’ – where internal staff have made mistakes – accounted for almost half of total data breach incidents: 44 percent October-December 2014, 43 percent 2015, 49 percent 2016.[2]
- Data shared in error is the single highest contributor to breaches year-on-year resulting from human error, annually, causing roughly one-third of incidents (31 percent 2014, 34 percent 2015, 31 percent 2016).
“We are all aware that security incidents are rising, but many may not suspect how large a proportion of these are down to error and lack of control over sensitive data,” continued Pepper. “What the information from the ICO makes clear is that all businesses need to do more to better protect sensitive information. Meeting this challenge requires a combination of improved employee training and the communication of risks, and the deployment of the right technologies to minimise the number opportunities available for human error to take hold.”