In Part 1 of the article, Finn Partner’s surveyed over 500 employees are various organizations across the United States to examine the cyber-risk employees pose for their employers. In a review of the results, it was found that two in five employees openly admitted to clicking on links or opening attachments from senders they did not recognize. Further, it was found that 55% of employees are using personal devices for work engagements, a practice that directly increases an organizations exposure to security threats.
Unfortunately, we do not have good news.
Evaluation of Causes of Protected Health Information Breaches
A more recent study, conducted by John (Xuefeng) Jiang and Ge Bai, published November 19, 2018, reviews government recorded data regarding the root causes of healthcare data breaches. Unsurprisingly, employees and internal factors, again, remain at the top of the list.
When a healthcare organization falls victim to a data breach, it must be reported to the U.S. Department of Health and Human Services. Information regarding each breach is then categorized into one of six categories believed to be the root cause of the breach. Those categories are: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or “other.”
John (Xuefeng) Jiang, Ph.D. and Ge Bai, Ph.D., examined the data released by the U.S. Department of Health and Human Services on 1,138 health data breaches, affecting a total of 164 million patients, recorded from October 2009 to the end of 2017. Within the scope of the study, it was found that more than half of all the breaches are the result of internal factors in healthcare organizations, not hackers or any other form of external parties.
To be specific, Jiang and Bai found that 53% of the breaches were the direct result of internal factors within the healthcare organizations themselves, in other words, their employees. Theft and hackers made up the remaining 33% and 12%, respectively.
While hackers managed to get their hands on the health records for 133.8 million patients in 233 separate incidents during the study period, nearly 25% of all cases were caused by unauthorized access or disclosure, more than double the amount caused by external hackers.
This type of breach could be the result of an employee taking personal health care information home, or forwarding the data to a personal account or device. It could also be the result of an employee sending data to the wrong recipient.
“Hospitals, doctors’ offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,”
John (Xuefeng) Jiang – PhD
According to Jiang, the employees included here are those working in hospitals, doctors’ offices, insurance companies, and even pharmacies. These seemingly harmless errors are putting patient confidentiality at significant risk.
Consistent with associate professor Ge Bai, Ph.D., some healthcare organizations put protected healthcare information “on the website” without any protection, solely on account of employee negligence. In some instances, employees failed to encrypt the personal data even with access the encryption software.
What Can Be Done?
Both Jiang and Bai believe that health care providers should adopt internal policies and procedures to tighten processes and prevent internal parties from leaking personal healthcare data.
Such protocols should include regular employee awareness training, as well as general rules with pertinence to the transmission of protected health information.
To adequately address data breaches related to improper storage, all paper records, which accounted for 29% of breaches, should first be transferred to digital medical records. Also, the use of mobile devices, which were involved in 46% of cases, should be avoided in favour of encryption and firewall protected data storage.
Thus, concerning internal factors, moving towards non-mobile policies for patient-protected data and implementing mandatory encryption procedures is a good start for healthcare providers.
What Does This Mean for Your Organization?
For information on Employee Awareness Training, to identify your organization’s greatest threat or for help Choosing a Penetration Testing Company, please review our website and contact us for in-depth information on how to prepare your organization.