Healthcare system neglect has resulted in more data breaches than hackers and theft.
More than half of all healthcare data breaches are the result of internal factors in healthcare organizations, not hackers or external parties, according to a study conducted by researchers from Michigan State University and Johns Hopkins University.The research detailed nearly 1,800 large data breaches of patient health information (PHI) over seven years, with 33 hospitals experiencing more than one substantial breach.John (Xuefeng) Jiang, Ph.D, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, and his co-author, Ge Bai, Ph.D, associate professor at the Johns Hopkins Carey Business School, reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.When a hospital has a data breach, it must be reported to the U.S. Department of Health and Human Services and be classified into one of six categories believed to be the cause — theft, unauthorized access, hacking or an IT incident, loss, improper disposal or “other.”Jiang and Bei found that 53 percent of the breaches were the result of internal factors in healthcare entities. Theft made up 33 percent of external breaches, with hackers accounting for just 12 percent.“One quarter of all the cases were caused by unauthorized access or disclosure — more than twice the amount that were caused by external hackers,” Jiang said.This could be an employee taking PHI home or forwarding the data to a personal account or device. It may also manifest through email mistakes, like an employee sending sensitive information to the wrong recipient.“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” Jiang said.According to the study, theft by outsiders or unknown parties (32.5 percent), disclosing PHI through mailing mistakes by employees (10.5 percent) and theft by former or current employees (9 percent) were the three major causes of PHI breaches.The consequences of data breaches can vary, some being minor, such as obtaining the phone numbers of patients, but other incidents can be more invasive. In 2015, for example, 37.5 million records were compromised from the insurer Anthem, and many of the victims were not notified immediately and were not made aware of the situation until they went to file their taxes and noticed that a third-party fraudulently filed them.So, what can be done to protect this information?Jiang and Bai suggest that healthcare providers adopt internal policies and procedures to tighten processes and prevent internal parties from leaking PHI by following protocols.“The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption,” MSU officials said in a release Get the best insights in healthcare analytics directly to your inbox
theduckspants on November 21st, 2018 at 20:52 UTC »
As someone in healthcare IT, I'd show you my surprised face but I printed it out and left it in the cafeteria.
DuchessOfKvetch on November 21st, 2018 at 19:32 UTC »
Having worked in both the medical and insurance industry in IT, this is my shocked face.
People seem to care a lot more about violating HIPAA regulations than actually keeping the software and databases secure.
Gullex on November 21st, 2018 at 19:01 UTC »
I'm a worker's comp nurse case manager, working telephonically across the US (I work for the insurance company). A large part of my job is reaching out to doctor's offices to gather clinic notes, orders, etc.
The inconsistency when it comes to the process of requesting records is insane. Some clinics only fax records, some only mail, some only email. Some only accept mailed requests, others use off-site records handling companies so when you call, the person you're talking to has no idea what's going on with the patient, who they're seeing, etc. Sometimes I receive notes and orders fifteen minutes after the appointment, sometimes it takes a month and a half, and the patient sits and waits for them to send us documentation so we can review and authorize whatever the doctor ordered. Yep, some patients wait a month and a half to begin physical therapy because the doctor either won't sign off on the notes, or the office staff won't send them. Other patients will have long since begun treatment and may even have returned to work and closed their claim in that time.
Sometimes I call a place, just give them the patient's information and my fax number and they send me whatever I ask for, no questions asked. I could be anyone. Other places I have to threaten legal action to even get a follow up date.
To complicate matters even more, in worker's comp, HIPAA laws basically do not apply- I don't need a signed release of information from the patient to gather the records. Some clinics are aware of this, some are not.
The very best clinics are those that have a secure online portal and they generate a login for me and I can view and download notes immediately after the appointments.
This is one of the many, many ways the US healthcare system is broken. It's a total joke.