AMA Internal Medicine, online November 19, 2018.
Most health information data breaches in the U.S. in recent years haven’t been the work of hackers but instead have been due to mistakes or security lapses inside healthcare organizations, a new study suggests.
Hackers got their hands on records for a total of 133.8 million patients in 233 separate incidents during the study period.
But the top cause of data breaches, accounting for 42 percent of cases and 472 incidents, was theft of equipment or information by unknown outsiders or by current or former employees, the study found.
Another 25 percent of cases involved employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.
“More than half of breaches were triggered by internal negligence and thus are to some extent preventable,” said study coauthor Ge Bai of the Johns Hopkins Carey Business School in Washington, D.C.
“Digital mistakes like these, together with bricks and mortar ones, account for more than half of the breaches,” Bai added. “Our finding obviously has a silver lining: it is not hard to mitigate breach risks if healthcare entities ensure that simple protocols are followed by their employees.”
To address data breaches related to improper storage, healthcare organizations should transition from paper to digital medical records, Bai advised. They should also avoid use of mobile devices for protected information and instead use encryption, firewall protection and cloud-based data storage
In addition, breaches related to poor communication practices can also be avoided, Bai said. To accomplish this, healthcare organizations should require mandatory verification of the recipients, verify no private information is exposed in envelope windows for mailed documents and ensure encryption is used for emails.
Mobile devices were involved in 46 percent of cases, while paper records accounted for just 29 percent of breaches, the researchers report in JAMA Internal Medicine.
Employees taking data home or forwarding it to personal email accounts contributed to 74 breaches in the study, or about 6.5 percent of cases.
The study wasn’t a controlled experiment designed to prove whether or how specific policies adopted by health care organizations might help prevent or permit security breaches.