Knowledge Library

The digital practice—the electronic storage, access, sharing, and monitoring of health information—promises increased convenience, improved patient care, and lower costs.¹ But this electronic access to medical records also brings with it the risk of cyberattacks and new avenues for employee error and misuse that could put sensitive patient data at risk of exposure and your practice at risk of violating state and federal regulatory and privacy laws.

“The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external.”¹

Even with this grim realization, there is some good news for healthcare practices. Because more than half of healthcare data breaches are caused by inadvertent actions of employees, there is an opportunity for practices to greatly reduce their risk of attack with employee training and awareness that builds a pervasive “culture of security.”

“The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external.”¹

While large and costly data breaches perpetrated by criminal hackers (such as the Equifax breach in 2017) make for splashy headlines, data breaches in healthcare caused by employee error and misuse are far more common.

A common scenario in email security breaches is seen when a billing service sends a bill to an incorrect email address. In most practice arrangements, a third-party billing company will have signed a business associate agreement. According to HIPAA, business associates must inform covered entities when they discover a security breach; however, HHS gives covered entities and business associates flexibility in defining, in the business associate agreements, how and when a business associate should notify the covered entity of a potential breach.¹ Consider the following case. (Please note that the following case focuses on the clinic’s responsibility to analyze the risk and perform the breach notification, even though the breach was caused by a business entity.)

According to HHS data, more than a third of all data breaches reported through 2017 involved a laptop, desktop, or mobile device.¹ Compare Cases One and Two, and consider how better security practices protected the covered entity in Case Two.