“The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external.”1
While large and costly data breaches perpetrated by criminal hackers (such as the Equifax breach in 2017) make for splashy headlines, data breaches in healthcare caused by employee error and misuse are far more common.
Whether intentionally or not, your employees are the biggest risk of a healthcare data breach (confirmed data disclosure) and pose a great financial and compliance risk to your practice. According to Verizon’s 2018 Data Breach Investigations Report, employees are involved in 71% of all cybersecurity incidents (regardless of whether data was compromised) in healthcare — more than in any other industry — and 53% of all healthcare cybersecurity incidents are caused by inadvertent employee actions (e.g., error, physical loss/theft of devices or records, and social attacks/phishing).1 These “inadvertent actors” do not intend to do harm, but unintentionally leave the door open for cybercriminals by, for example, opening malicious attachments or clicking malicious links in spam emails, or losing unprotected laptops containing sensitive data.
A Healthcare Data Breach Can Put Your Practice and Patients at Risk
Healthcare data breaches are the costliest of any industry, with an average cost of $380 per record — 69% greater than the overall average. This is due in part to the notification costs and fines associated with regulatory non-compliance (both federal HIPAA regulations and state laws) and higher than average “churn” (the loss of patients as a result of a breach).1
One of the costliest threats for healthcare practices — ransomware — is also caused largely by employees opening attachments or links in well-disguised malicious emails.1 A ransomware attack can put patient safety at risk by blocking access to critical electronic medical records. The cost, too, can be disastrous, costing a practice 10s of thousands of dollars to unlock hijacked medical records on top of the other costs associated with a data breach such as fines, legal fees, notification and digital forensic investigations.2 And paying the ransom doesn’t even guarantee restored access to your files.1
- 79% of healthcare data breaches included medical data, 37% included personal data (and often contain multiple data types).
- Error is a factor in healthcare cybersecurity incidents almost seven times more often than in other industries
- 18% of healthcare cybersecurity incident were by “malicious insiders” — employees engaging in unapproved or malicious use of organizational resources (i.e., privilege misuse) such as exporting and selling data or voyeuristic snooping into health records.
While the financial costs to your practice can be devastating in a healthcare data breach, the potential personal cost to your patients is equally grave: the embarrassing and potentially life-changing disclosure of sensitive health information, or the lives and health of patients put at risk if ransomware locks caregivers out of patient records or other critical data and systems.
Many of the recommendations in this article can help you satisfy implementation specifications in the HIPAA Security Rule, the standards set forth for protecting electronically stored PHI (ePHI). While compliance with the HIPAA Security Rule is not a guarantee against a data breach, compliance with the specifications can improve your data security posture and help prevent them.
Build a Culture of Security to Protect Against Employee Data Breaches
The good news is that, because more than half of data breaches in healthcare are caused by the inadvertent actions of employees, there is an opportunity for your practice to greatly reduce the risk of attack with employee training and awareness that builds a pervasive “culture of security.” You work hard at building a “culture of safety” to increase patient safety in your practice. Applying that same diligence to building a “culture of security” can help guard against inadvertent cybersecurity incidents.
As we’ve seen with ransomware that blocks access to patient records, cybersecurity is a patient safety issue, too. One author suggests thinking of information security as not a medical condition with a ready cure but as a chronic illness requiring ongoing treatment, monitoring, testing and re-evaluation.3
Enhanced Staff Training & Awareness
- Provide continual, multifaceted security awareness training that includes internal training, daily reminders and visual workplace cues.3
- Inform staff that accessing PHI for reasons not related to their job functions is a violation of state and federal privacy law.
- Consider implementing mechanisms that warn users when they are accessing PHI and that access is monitored and audited (if true).
- Establish a corporate culture that frowns upon printing out sensitive data.4
Strong Policies & Procedures
- Maintain strict security policies with a strong reward/sanction system. Employees should:
- Never share login credentials.
- Never log in colleagues using their own access credentials.
- Always log out of shared terminals after each use.
- Turn off (not simply log out of) computers and shared terminals at the end of the work day whenever possible.
- Conduct an “annual exam” on your information security practices, as well as a periodic HIPAA security risk analysis — a requirement of the HIPAA Security Rule.3 Regarding the HIPAA security risk analysis:
- The Security Rule does not stipulate the details of the risk analysis or who must perform it, only that a covered entity must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities.”
- Contracting with a third-party to perform a HIPAA risk analysis and employee training may be a good option for many practices, especially those without an in-house IT and security staff, but know that HHS does not officially recognize any HIPAA compliance certifications, and a private certification doesn’t absolve you of your legal obligations under the Security Rule, and does not preclude HHS from finding a security violation.
- See additional HIPAA risk analysis resources below.
- Have and enforce a formal procedure for disposing of anything that might contain sensitive data.4
- Establish a “four-eyes” (two-person review) policy for publishing or sending information.4
- Ensure that all security and data handling policies are task-oriented and easily understood by non-technical staff.
- Consider “safe harbor” policies that encourage employees to safely report inadvertent security lapses or suspicions of malicious or inappropriate behavior.
- Enter into HIPAA business associate agreements as necessary with third-parties providing data security services.
- Consult your practice attorney or medical professional liability insurance carrier if you’re unsure whether one is needed.
Deploy and Configure Systems to Prevent and Detect Security Violations
The most secure practice environment is the one that doesn’t leave it all up to employees but enables systems to automatically manage security and user access efficiently and effectively, automating actions when possible and mitigating losses in the event of mistakes. If your practice does not have a dedicated IT security staff, consider working with your IT vendor as necessary to implement these recommendations.
- Ensure that your sensitive data is backed up regularly in case of a ransomware attack or system failure that causes loss of data.1
- Protect your most critical digital assets by segregating them and prioritizing them in your business continuity plan.1
- Deploy unique access credentials for every employee — including temporary users, contract employees, and vendor contacts — for any system they need access to, and do not reuse usernames of former employees. Different person, different ID should be an inviolable policy, however infrequently a person may need to access your systems.
- This is a best practice in today’s business environment, but it bears repeating as the cornerstone of all other information security efforts such as data access restrictions and auditing.
- Sharing access credentials is a violation of the HIPAA Security Rule.5
- Access sharing may also be a violation of software licenses as a form of software piracy because it has the effect of reducing the identified number of users of the system.5
- Implement auditing and monitoring of access to sensitive data whenever possible.
- This is greatly facilitated by a different person, different ID policy, which will enable system administrators and management to remediate system errors or misconfigurations, identify the individuals involved in an incident, and provide additional training or impose sanctions as appropriate.
- Restrict employee access to only the data needed to perform their job function. For example, a receptionist may need access to appointment scheduling software but not patient progress notes.
- Inoculate yourself by encrypting sensitive data3 and enabling password protection and remote erasing capabilities on all devices containing sensitive data to secure data in case of device loss or theft.
- Properly encrypting data on a device renders the data “unusable, unreadable, or indecipherable to unauthorized individuals” according to the HIPAA Breach Notification Guidance and could help you avoid the requirement of a HIPAA breach notification if the device is stolen or lost.
- Place safeguards on downloading or exporting sensitive data:
- Require that only authorized devices configured with the proper encryption and security software be allowed to access systems containing sensitive data.
- Restrict exporting of data to only authorized devices, by authorized individuals and only for clearly defined purposes.
- Whenever possible for staff who need off-site access to sensitive data, enable direct access to systems over encrypted connections to eliminate the need for downloading or exporting data.
- Providing direct access to data also ensures that remote staff will always have access to the most up-to-date information.
- If exporting of data is required, mitigate risks and limit the scope of any resulting breach:
- Export only the data that’s necessary for the task.
- Maintain end-to-end encryption of the data.
- Deploy password managers such as 1Password or LastPass to enable easy use of strong passwords.
- Implement email security software that guards against email fraud, impostor email, phishing, malware and spam.
- Enable network and device firewalls.
- Keep all operating systems and software up-to-date with the latest security patches, especially highly targeted software like Microsoft Office apps.
Prevention Is the Best Medicine for Avoiding HIPAA Data Breaches
Because nearly half of all data breaches in healthcare are caused by the inadvertent actions of employees, you can greatly reduce your risk of a breach by maintaining compliance with the HIPAA Security Rule and using the recommendations above to build a pervasive “culture of security” at your practice.
HIPAA Security Rule and Risk Analysis Resources
- Offers a security risk assessment tool to assist small to mid-sized organizations as well as videos on what a risk assessment may involve
- Provides specific guidance on Risk Analysis
- Provides the latest guidance, FAQs and other information on the HIPAA Privacy and Security Rules
- Provides links to the Security Rule Educational Paper Series, HIPAA Security Guidance, and the National Institute of Standards and Technology (NIST) Special Publications
- Provides information relevant to information technology security
1. Verizon Enterprise. “Verizon 2018 Data Breach Investigations Report.” (accessed 5/8/18)
2. Biddle, Susan. “What Does a Ransomware Attack in Healthcare Really Cost?” August 24, 2017. (accessed 5/8/18)
3. Manos, Diana. “5 Ways to Avoid Health Data Breaches.” Healthcare IT News. February 19, 2014. (accessed 5/8/18)
4. Verizon Enterprise. “Verizon 2017 Data Breach Investigations Report Executive Summary.” (accessed 5/8/18)
5. Marion K. Jenkins. “Shared Usernames: HIPAA Security No-No.” Becker’s ASC Review. October 01, 2009. (accessed 5/8/18)
Additional Linked Sources
Ponemon Institute. “2017 Cost of Data Breach Study: United States.” (accessed 5/8/18)
U.S. Department of Health and Human Services:
- “Summary of the HIPAA Security Rule.” (accessed 5/8/18)
- “Are we required to ‘certify’ our organization’s compliance with the standards of the Security Rule?” (accessed 5/8/18)
- “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.” (accessed 5/8/18)