The healthcare industry has had 955 major security breaches over the last three years, according to a recent study, and the number has been steadily increasing. A total of 135,060,443 healthcare records were exposed or stolen over that three-year period, affecting 41 percent of the U.S. population.
This isn’t typical, either. Of all large data breaches across all sectors, hospitals accounted for around 30 percent of them from 2009 to 2016.
Small data breaches, such as the accidental exposure of the record of individual patients, happen very frequently, as well.
Part of the reason healthcare reports so many data breach issues could be the fact that the sector has especially strict security requirements due to the sensitivity of the information it handles and the stringency of HIPAA.
Another thing that makes health care unique in regards to data breaches is that a majority of them come from inside the healthcare organization, rather than from outside attacks. The 2018 Protected Health Information Data Breach Report from Verizon found that internal actors cause 58 percent of breaches in healthcare.
So, how can healthcare companies prevent these data breaches? An essential first step is to understand their causes. This knowledge can then inform data security strategies. In light of this, here are five of the most common causes of data breaches in healthcare.
1. Human Error
According to the Verizon report, human error ranked as the most common source of healthcare data breaches, causing about 33.5 percent of them.
Misdelivery was the most prevalent type of human error, causing 38.2 percent of human error data breaches. Misdelivery refers to an instance in which a health care worker accidentally sends information to the wrong recipient.
The next two most common human error breaches were errors during disposal (17.2 percent) and loss of information (16.1 percent).
A 2017 study noted that 41 percent of health data breaches resulted from unintended disclosure.
Another study, published in the American Journal of Managed Care, found that physical documents like paper and film were more likely to be involved in data breaches than digital records. This is perhaps because it is more challenging to put security measures on and track physical documents.
Because of this, transferring documents to digital form may make them more secure. Another step healthcare companies can take is to provide regular training that helps workers avoid errors.
2. Data Misuse
The Verizon report found that data misuse was the second most common type of healthcare data breach, causing 29.5 percent of incidents.
The most common type of data misuse was privilege abuse — misusing access to digital records. Possession abuse, which refers to the same issue but with paper documents, accounted for 16.9 percent. Together, they accounted for 82.9 percent of data misuse incidents. Workers may misuse data for convenience, curiosity, because of a grudge or for many other reasons.
To cut down on the misuse of data, hospitals and other healthcare organizations should make access and control a priority and consider logging and monitoring use of databases.
The next most prevalent type of data breach, according to the Verizon report, was physical breaches, making up 16.9 percent. Theft was by far the most significant contributor to this category. Others included snooping, surveillance and tampering.
Theft could come from either an inside or outside actor. Laptops were the items most often stolen, accounting for 44 percent of theft. About 31 percent of cases involved the theft of documents.
To prevent thefts from resulting in unauthorized access to data, organizations should make sure that all sensitive information on laptops is encrypted. While the theft of a laptop would still be a financial loss, taking this step minimizes the risk of a data breach caused by the theft.
About 14.8 percent of data breaches in healthcare come from hacking, most frequently from stolen credentials. In fact, nearly half of hacking incidents reported in the Verizon study involved stolen credentials.
Brute force was the next most common type of hacking attempting, accounting for 20.9 percent. This type of attack involves systematically trying to guess credentials.
Because the majority of hacking incidents in healthcare involve credentials, encouraging employees to use strong passwords and change them often can go a long way. Healthcare companies may also want to use two-factor authentication, such as using both a username and password and biometrics, such as fingerprint recognition.
Malware was the fifth most common type of data breach, according to the study. This malicious software accounted for 10.8 percent of violations. The majority (70.5 percent) of these kinds of attacks came from ransomware, which blocks access to a computer system until the victim pays a ransom.
Databases, servers and desktops are most likely to be the targets of these attacks.
To prevent these types of breaches, healthcare organizations can provide training to help staff avoid scams and malware. They should also employ robust antivirus software.
As healthcare becomes more digital, and technology continues to play a growing role in the sector, data breaches will continue to be a concern. It’s important that healthcare organizations take a proactive stance against these threats.
Along with the steps listed above, they should conduct regular risk assessments and reviews of the security measures they have in place. They should also back up data to a secure, off-site location and carefully evaluate the cybersecurity aspects of all third parties. Data access control and training may be some of the most impactful measures healthcare companies can put in place.
By taking these steps and making protection from data breaches a priority, healthcare companies can help protect against these growing risks.