Data breaches in healthcare are 50 percent more likely to stem from internal mistakes by employees than from external causes, such as hackers, according to a recent analysis published in JAMA Internal Medicine.
Researchers from Michigan State University in East Lansing and the Johns Hopkins Carey Business School in Washington, D.C., reviewed 1,138 breaches of protected health information reported to HHS' Office for Civil Rights from 2009 to 2017. OCR requires HIPAA-covered entities to report data breaches affecting more than 500 individuals.
The three most common causes of data breaches, according to the researchers, were theft by outsiders or unknown parties (32.5 percent), disclosing PHI through mailing mistakes by employees (10.5 percent), and theft by former or current employees (9 percent). Overall, 53 percent of breaches were attributable to the healthcare organization's own mistakes or neglect, the report states.
Different storage modalities and communication channels also experienced different PHI breach risks. The plurality of breaches involved mobile devices (46.1 percent), followed by paper records (28.7 percent) and network servers (29.3 percent). Of the 20.4 percent of breaches that occurred while communicating PHI, 65.5 percent were due to mailing mistakes and 34.5 percent were due to emailing mistakes.
Although the researchers noted their findings may not be generalizable to breaches affecting fewer than 500 individuals, they wrote, "healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security."
To access the complete analysis, click here.