Internal errors more likely to cause healthcare breaches than outside threats

Data breaches in healthcare are 50 percent more likely to stem from internal mistakes by employees than from external causes, such as hackers, according to a recent analysis published in JAMA Internal Medicine.

Researchers from Michigan State University in East Lansing and the Johns Hopkins Carey Business School in Washington, D.C., reviewed 1,138 breaches of protected health information reported to HHS' Office for Civil Rights from 2009 to 2017. OCR requires HIPAA-covered entities to report data breaches affecting more than 500 individuals.  

The three most common causes of data breaches, according to the researchers, were theft by outsiders or unknown parties (32.5 percent), disclosing PHI through mailing mistakes by employees (10.5 percent), and theft by former or current employees (9 percent). Overall, 53 percent of breaches were attributable to the healthcare organization's own mistakes or neglect, the report states.

Different storage modalities and communication channels also experienced different PHI breach risks. The plurality of breaches involved mobile devices (46.1 percent), followed by paper records (28.7 percent) and network servers (29.3 percent). Of the 20.4 percent of breaches that occurred while communicating PHI, 65.5 percent were due to mailing mistakes and 34.5 percent were due to emailing mistakes.  

Although the researchers noted their findings may not be generalizable to breaches affecting fewer than 500 individuals, they wrote, "healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security."

To access the complete analysis, click here.

More articles on cybersecurity:

Why humans are a hospital's biggest threat: Q&A with Battle Creek VA Medical Center's head of information security
New York oncology center notifies all patients, employees over phishing attack
Future of cybersecurity threats & the recipe for a perfect cyber storm: Hospital for Special Surgery CISO shares insights

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months