Hackers are not main cause of health data breaches

(Reuters Health) - Most health information data breaches in the U.S. in recent years haven’t been the work of hackers but instead have been due to mistakes or security lapses inside healthcare organizations, a new study suggests.

Silhouettes of laptop users are seen next to a screen projection of binary code are seen in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

Researchers examined data released by the U.S. Department of Health and Human Services on 1,138 health data breaches affecting a total of 164 million patients from October 2009 through the end of 2017.

Hackers got their hands on records for a total of 133.8 million patients in 233 separate incidents during the study period.

But the top cause of data breaches, accounting for 42 percent of cases and 472 incidents, was theft of equipment or information by unknown outsiders or by current or former employees, the study found.

Another 25 percent of cases involved employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.

“More than half of breaches were triggered by internal negligence and thus are to some extent preventable,” said study coauthor Ge Bai of the Johns Hopkins Carey Business School in Washington, D.C.

Some healthcare organizations put so-called protected health information (PHI) on the website without any protection simply by negligence, Bai said by email. Other times, employees failed to use encryption even when they had access to an encryption tool.

“Digital mistakes like these, together with bricks and mortar ones, account for more than half of the breaches,” Bai added. “Our finding obviously has a silver lining: it is not hard to mitigate breach risks if healthcare entities ensure that simple protocols are followed by their employees.”

To address data breaches related to improper storage, healthcare organizations should transition from paper to digital medical records, Bai advised. They should also avoid use of mobile devices for protected information and instead use encryption, firewall protection and cloud-based data storage

In addition, breaches related to poor communication practices can also be avoided, Bai said. To accomplish this, healthcare organizations should require mandatory verification of the recipients, verify no private information is exposed in envelope windows for mailed documents and ensure encryption is used for emails.

Mobile devices were involved in 46 percent of cases, while paper records accounted for just 29 percent of breaches, the researchers report in JAMA Internal Medicine.

Employees taking data home or forwarding it to personal email accounts contributed to 74 breaches in the study, or about 6.5 percent of cases.

Mailing mistakes accounted for two-thirds of the data breaches involving communication errors by employees, the study also found.

The study wasn’t a controlled experiment designed to prove whether or how specific policies adopted by health care organizations might help prevent or permit security breaches.

SOURCE: JAMA Internal Medicine, online November 19, 2018.