Earlier this quarter Verizon released an analysis of more than 1,300 security incidents involving the healthcare industry. While the growing number of breaches is concerning, I found the results of this study encouraging and here's why.
In the healthcare industry, particularly in larger organizations, data breaches have largely been a result of attacks by outsiders.
These attacks expose highly sensitive information including personally identifiable information (PII) as well as confidential health information.
However, the Verizon report - which pulled most of their data from mandatory data breach reports filed under HIPAA in the U.S. - turned up an interesting detail.
It turns out the vast majority of breaches in smaller healthcare organizations (fewer than 1000 employees) were the result of employee error, not outside attackers.
This is where the good news comes in for many healthcare organizations:
If the breaches, whether accidental or malicious, are mostly coming from inside there is a lot under your control that can be done to try and prevent them!
Most Breaches Due to Insider Wrong-Doing and Insider Error
Simple user error caused 35% of the breaches - healthcare records being misdelivered, disposed of improperly or simply lost. Oftentimes these were paper records, not electronic.
An additional 30% of breaches were the result of the misuse of healthcare records, meaning that employees mishandled information or were looking at information outside of their normal job scope.
Even when outsiders were to blame for a data breach, the most common cause (15 percent of all breaches) was simple physical theft.
When an outside hack did occur, the majority of them were the result of stolen credentials.
5 Top Recommendations for Data Breach Prevention
I realize that it doesn't sound encouraging to be told "the enemy is us" but the message here is that the majority of protected health information (PHI) data breaches can be prevented - or at least reduced.
Here are my five top recommendations to help you increase security and maintain compliance in your organization.
1) Conduct a risk assessment
Annual risk assessments are a required component of HIPAA compliance, but organizations often just go through the motions when completing them. Take some extra time with your next one and conduct it with an eye toward identifying how PHI can be lost or mishandled.
Not sure how to conduct a risk assessment?
There is a lot of good free information on how to do it. The U.S. Department of Health and Human Services publishes guidance on how to conduct a risk assessment and even provides software to walk you through the process. See: Guidance on Risk Analysis.
The application has some limitations, including explanations that do not provide guidance in plain language and an inability to export to a standard format like Excel or .CSV.
I like using NIST’s Special Publication 800-66, Revision 1, to create the structure for the risk assessment. This publication also contains other useful information, such as how to actually conduct the assessment.
2) Training in handling PHI
Employees need better instruction on how to handle PHI, and they need constant refreshers. Training should be focused not simply on proper procedures, but on creating a culture of security and careful handling of information.
We’re not training people how to use a shredder here, but in developing habits such as double-checking a fax number before pressing the transmit button.
Consider something like a “loose lips sink ships” campaign with rotating tips posted at key locations in your offices.
Staff should know that they need to keep an eye on one another, not to act as spies to report lapses to HR, but as peer educators.
3) Cyber security training
Employees in all industries need help in recognizing fake emails and the threats they contain. These threats include stealing your credentials and locking all of your critical data with ransomware.
Stolen credentials were far and away the most important method used by hackers to gain unauthorized access to systems in this study, with ransomware accounting for 70 percent of the malware incidents.
Programs that combine simulated phishing messages with training can be extremely successful in reducing the number of times your employees fall for fake messages and put your organization at risk. You’ll find a broad range of products that differ mostly in tone and educational content delivery.
There are types of training will be too long and complex for your environment and others that will irritate your staff as being too superficial. Test-drive several and select a provider whose approach most closely matches your workplace culture.
4) Encrypted hard drives
Encryption is called out by the Department of Health and Human Services as an important risk mitigation strategy with good reason. It is a simple, inexpensive process of scrambling the contents of a hard drive so that only authorized users have the ability to unscramble and read the contents.
Encryption is coming to be expected as a baseline security measure, and you want to make sure you take advantage of this technology to protect your data.
5) Take Advantage of IT Consulting Services
Many times organizations are overwhelmed with their core day-to-day business and don't have the time or talent to conduct security audits, training and other necessary security tasks.
This is where it pays to take advantage of an IT consultant to help you get the job done, either as a one-time effort or an on-going basis, which is recommended. Security is too important to let slide!
Ntiva helps our healthcare clients deal with issues like these every day. If you would like help with your risk assessment or are you unsure how to set up training or encrypt your systems, you can give us a call at 703-738-2940 or request a consultation with one of our security experts.