Editorial: 9 Out of 10 Data Breaches Could Have Easily Been Avoided
Take a look at the healthcare data breach entries in the OCR web portal for 2015 (or any year) and you will notice the same types of data breaches are repeated time and again. The vast majority of those data breaches are avoidable.
A large percentage involve the loss of portable storage devices such as zip drives and hard drives. Many cite stolen devices, with laptop theft particularly common. Then there are mistakes made with the configuration of servers and firewalls that have accidentally been switched off. Patches are not installed promptly leaving security vulnerabilities that can all too easily be exploited. Passwords are set that are too easy to guess, default logins are not changed, and risk assessments are not being conducted regularly.
It may not always be possible to prevent a successful cyberattack, but it is possible to prevent the vast majority of data breaches.
Study Finds 9 out of 10 Data Breaches Could Easily Have Been Avoided
In fact, 9 out of 10 data breaches could easily have been avoided according to a study published by the Online Trust Alliance (OTA). The study assessed the reported data breaches from the first 6 months of 2014 and found that in 91% of cases, the breaches could have easily been prevented.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
With hindsight, it is easy to say that a breach could have been avoided; however, the study showed that in the majority of cases, data exposure could have been avoided by applying basic and well-established security practices.
Some of the basic security measures include installing software patches when they are released. All too often patches are not installed promptly and software is not upgraded, even when organizations are provided with ample notice that software support will be retired.
The risk of zip drives and portable storage devices being lost or stolen is particularly high, yet alternatives are not explored and data encryption has not been implemented. In the study, 18% of breaches were the result of lost and stolen devices used to store sensitive data. Only when a breach is suffered do many healthcare organizations decide to encrypt their portable storage devices.
Social engineering was used in 11% of breaches. Training on anti-phishing strategies and how to identify social engineering scams could have prevented the vast majority of these data breaches.
Human Error Causes the Majority of Data Breaches
OTA assessed more than 1,000 data breaches that occurred between January and June 2014. While hacks often make the headlines, they only accounted for 40% of the breaches studied, and even then many of those were easily avoidable had precautions been taken and security holes plugged.
Risk assessments are still not being conducted regularly, and oftentimes they are not fully comprehensive. 29% of data breaches were caused by employees stealing or leaking data. In the case of the latter, training could have prevented a considerable proportion of those data breaches. In the case of the former, tighter controls over the data employees were allowed to access prior to their departure could have prevented data theft. The study may not have assessed the most recent breaches, but the same errors are being made time and again. The study is just as relevant in 2016.
