In 2015, more than 112 million people were affected by a healthcare data breach. In 2016, the number of breaches increased 17%. The healthcare industry and its business associates that handle personal health information (PHI) are facing a major challenge and increasing data security risk.
Healthcare is one of the fastest growing sectors in the U.S. Everything from healthcare IT, to analytics, to patient numbers are expected to increase over the coming years. This presents a fast-growing footprint that will only increase risk if data security isn’t adequately addressed. While many threats certainly come from outsider attacks and hackers, healthcare organizations aren’t doing enough to mitigate breaches coming from the place they can control – the inside.
In general, a recent study by Dtex Systems found that 95% of organizations report having workers who have actively tried to bypass corporate security protocols and that 60% of attacks are carried out by company insiders. While some of those breaches are driven by malicious intentions, the majority (68%) are caused by employee negligence. An End User Security Survey by Dell found that 45% of employees admit to engaging in unsafe work behaviors, such as accessing confidential information via public WiFi, using a personal email account for work or losing a company-issued device. Causing even more concern, employees within highly regulated fields (such as healthcare) engage in these actions at a higher rate.
Within healthcare specifically, nearly 80% of healthcare leaders name employee awareness as their biggest security concern. That concern is well founded, as Protenus (which releases a monthly “Breach Barometer”) noted a significant jump in healthcare breaches in March 2017, largely driven by insider error or wrongdoing (44%).
Often, healthcare employees don’t know that they’re causing a data breach, or believe that what they are doing isn’t a big deal because they are not stealing information or using the data for malicious purposes. For instance, St. Charles Health System in Oregon experienced a breach when it discovered that a caregiver accessed roughly 2,500 patient records without authorization. While the caregiver signed an affidavit that they didn’t share the information or use it to commit fraud, St. Charles still had to report the breach and offer all affected patients risk mitigating services like credit monitoring. In an incident at Virginia Mason Memorial hospital in Washington, 21 employees were found to have improperly accessed patient records. Since none of the information has shown up on the black market, officials “believe this to be a case of snooping, or individuals who were bored.”
At the end of the day though, any improperly accessed or shared protected data constitutes a data breach according to HIPAA compliance standards.
Mistakes happen, and they always will happen. The key is to take proactive steps to limit the number and reach of mistakes. Training, policies and procedures are good, but they won’t stop everything. Brady Ranum, VP of Product and Strategy at Dizzion, recently spoke on this point in a webinar about compliance:
“Training is fantastic. The unfortunate part is that, no matter how much emphasis you put around it, people forget. It might be that afternoon, it might be the next day, it might be two days later that they’re just back to doing their jobs. They’re trying to be as efficient as they can and they’re trying to do the best jobs that they can. And when you’re doing your job, a lot of the time security is the last thing you’re thinking about.”
Data security and compliance professionals should keep this reality in mind when creating programs to protect data. The best way to prevent internal data breaches is to implement strong security measures and controls alongside policies and training. Likewise, meeting compliance standards does not necessarily mean your data is secure (just ask Target, which experienced it’s famous 2013 data breach shortly after being declared PCI compliant). Strong internal measures need to be put in place, well beyond simple data encryption.
The key to implementing the right level of controls is understanding key use cases and the functions, data and applications those users need access to. If one set of users – say telehealth clinicians or third party contractors like medical transcriptionists – don’t need access to select data, close down access to that application or certain parts/functions of the application. If accessing unnecessary information isn’t an option, the likelihood of unauthorized or inappropriate data access is stopped in its tracks.
When well implemented, controls go much further than simply not giving certain users login credentials to some applications. Security needs to be extended all the way to the desktop for proper data protection. The desktop is how every user, everywhere, on every device (including laptops, tablets and smartphones) accesses the data you need to protect. If information can be saved to the desktop or otherwise transferred without permission (screen capture, printing, saving to an external drive) it can quickly slip out of your control.
To protect data at every level, taking common sense actions like limiting access and encrypting data are important – but it’s not enough. It’s also critical to go a step further and make the work environment secure by locking down high risk functions to certain user groups and having everyone who touches your information work within an isolated, secure, HIPAA compliant virtual desktop (which further protects data by making it easy to manage controls and keeps all data off endpoint devices that could be lost or stolen). Strong security isn’t just around data, but around the desktop, applications and overall environment that data lives in.
Nov 08, 2018
Learn how Dizzion helped Mindseeker create a secure, HIPAA compliant, easily scalable environment for remote medical coders. READ MORE
Nov 01, 2018
Virtual desktops benefit everyone in an organization, but these three personas stand to gain the most and should be the biggest proponents. READ MORE
Oct 23, 2018
Schools hold a lot of payment care data and personal health information, but being PCI and HIPAA compliant doesn’t have to be difficult. READ MORE