More than half of data breaches in healthcare systems are due to internal mistakes or neglect, according to a new study.
Healthcare system neglect has resulted in more data breaches than hackers and theft.
More than half of all healthcare data breaches are the result of internal factors in healthcare organizations, not hackers or external parties, according to a study conducted by researchers from Michigan State University and Johns Hopkins University.
The research detailed nearly 1,800 large data breaches of patient health information (PHI) over seven years, with 33 hospitals experiencing more than one substantial breach.
John (Xuefeng) Jiang, Ph.D, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, and his co-author, Ge Bai, Ph.D, associate professor at the Johns Hopkins Carey Business School, reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.
When a hospital has a data breach, it must be reported to the U.S. Department of Health and Human Services and be classified into one of six categories believed to be the cause — theft, unauthorized access, hacking or an IT incident, loss, improper disposal or “other.”
Jiang and Bei found that 53 percent of the breaches were the result of internal factors in healthcare entities. Theft made up 33 percent of external breaches, with hackers accounting for just 12 percent.
“One quarter of all the cases were caused by unauthorized access or disclosure — more than twice the amount that were caused by external hackers,” Jiang said.
This could be an employee taking PHI home or forwarding the data to a personal account or device. It may also manifest through email mistakes, like an employee sending sensitive information to the wrong recipient.
“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” Jiang said.
According to the study, theft by outsiders or unknown parties (32.5 percent), disclosing PHI through mailing mistakes by employees (10.5 percent) and theft by former or current employees (9 percent) were the three major causes of PHI breaches.
The consequences of data breaches can vary, some being minor, such as obtaining the phone numbers of patients, but other incidents can be more invasive. In 2015, for example, 37.5 million records were compromised from the insurer Anthem, and many of the victims were not notified immediately and were not made aware of the situation until they went to file their taxes and noticed that a third-party fraudulently filed them.
So, what can be done to protect this information?
Jiang and Bai suggest that healthcare providers adopt internal policies and procedures to tighten processes and prevent internal parties from leaking PHI by following protocols.
“The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption,” MSU officials said in a release.
Get the best insights in healthcare analytics directly to your inbox.