In Verizon’s 2018 Protected Health Information Data Breach Report, researchers found that nearly 58% of healthcare security incidents involved insiders. Healthcare staff, for various reasons, often violate HIPAA and cause data breaches that compromise protected health information (PHI), resulting in great loss for their employer. Healthcare is the only industry in which internal actors are the greatest threat. In other words, healthcare organizations can be their own worst enemy.
Verizon’s report identified the top three (largely internal) causes of data breaches:
- Human error (33.5% of cases)
- Intentional misuse (29.5% of cases)
- Physical loss (16.3% of cases)
This post will investigate these three insider-caused breaches and consider how you can defend your organization against self-destructive employee practices and create a culture of security compliance.
Human Error Breaches
Not all breaches come with malicious intent. In fact, approximately half of insider-caused breaches were due to human error – simple mistakes. Nevertheless, these errors indicate a serious lack of employee awareness and/or training.
Misdelivery of PHI (38.2% of human error cases) is the most common type of human error that puts PHI at risk. In the healthcare industry, employees handle sensitive data all day long. When someone sends PHI to the wrong recipient (for example, by email or mail), they have misdelivered the information, which is a considered a breach.
The second most common human errors are disposal errors (17.2% of cases). Disposal errors occur when sensitive data is improperly disposed of. For example, an employee may throw documents containing PHI in the trash without first shredding them. Careless disposal can easily compromise PHI.
Although healthcare organizations pay much attention to electronic data security, Verizon’s report found that most human errors (including misdelivery and disposal errors) compromise physical documents or assets, not electronic data. Similarly, a study by The American Journal of Managed Care found that PHI contained on paper and film are most commonly breached. Therefore, it’s important to take security outside the digital world and protect access to physical documents and devices.
Intentional Misuse Breaches
Misuse is intentional, unauthorized – and, in some cases, malicious – access to sensitive data. Most misuse cases come from employees abusing their access to data and assets, although some misuse can come from outside the organization.
Privilege abuse by healthcare staff accounts for 66% of misuse cases and is by far the most common type of data misuse, according to Verizon. Privilege abuse is when someone uses their access to PHI without a legitimate need for that information. With the amount of PHI healthcare staff access day-to-day, it’s relatively easy to abuse that privilege. Employees may be motivated by convenience or by financial gain or other malicious purposes.
Similarly, possession abuse (16.9% of misuse cases) occurs when staff members access physical data, such as print documents or devices containing PHI, without a justifiable need. Again, the motivation can range from simple curiosity – such as looking for information about a family member or friend – to malicious intent.
Physical Loss Breaches
Sometimes physical assets simply go missing. When an asset containing PHI is lost, whether intentionally or by misplacement, it’s considered a breach until proven otherwise. According to The American Journal of Managed Care study, theft surpassed unauthorized access/disclosure as the most common security incident. Theft accounts for 95.2% of unauthorized physical access to and use of assets containing sensitive data.
Read more: How to Secure Your Personal Devices
Laptops are prime targets of theft because of their portability, the wealth of information they can contain, and the ease of reselling them for cash. Laptops are most often stolen from employee vehicles. Unencrypted laptops or other mobile devices that are guarded only by a password are a great risk to your organization. Therefore, make sure you can account for and securely use your organization’s mobile devices.
How to Prevent Data Breaches
The largest threat to healthcare organizations are their own employees. So, how do you prevent a data breach? It can feel overwhelming to analyze the day-to-day practices of your staff members or run a full security risk analysis. However, these steps are vital to creating a culture of security compliance in your organization. There are several proactive steps you can take to reduce your risk of a data breach.
Regularly train your staff members on the tricky areas of HIPAA privacy and security. For example, when can you disclose PHI? What are incidental disclosures? How do you recognize a breach? How do you safeguard access to electronic and physical PHI? Staff training should be periodic and as department-specific as possible, so every employee is familiar with their responsibility to secure PHI, such as how to send sensitive data securely and properly dispose of documents and devices that are no longer needed.
Read more: Target Trouble Areas with HIPAA Training
Combat privilege and possession abuse by enforcing the Minimum Necessary Standard, which restricts staff access to only the information they need to carry out their duties. Though this standard doesn’t guarantee that employees won’t occasionally misuse their privilege, it’s vital to include in your training. Additionally, researchers suggest that hospitals should regularly audit employee access to PHI and use biometric identifiers and 2-factor authentication to limit unauthorized users from accessing PHI.
Set safeguards not only on your information systems and workstations but also on your physical environment and workflow. How are written forms, files, and other documents handled from one person or department to the next? Is there opportunity for other patients or unauthorized staff members to see – or even steal – the documents? How should nurses use the nurses’ station whiteboard? What security measures can your front-desk staff members take to keep the public from viewing PHI?
Mobile Device Management
Because lost or stolen mobile devices containing PHI can pose a serious threat to your data, you must properly manage your organization’s mobile devices. This includes keeping a complete inventory, using a check-out/check-in log, encrypting mobile devices, and safely destroying devices that are no longer needed.
HIPAAtrek can help you create a culture of security compliance at your organization. You can record the details of all security incidents in the HIPAAtrek platform and use the integrated Breach Risk Assessment Tool to determine if the incident was a breach. This feature makes documentation easy and leaves an auditable trail of compliance. Furthermore, you can use HIPAAtrek to send out security reminders to your staff and track their HIPAA compliance training. Request a demo or contact us for more information.