According to an investigative report by Verizon in 2016, Human Error was the lead cause of HIPAA security breaches in 2015.
“You might say our findings boil down to one common theme — the human element,” Verizon Enterprise Solutions Executive Direction Bryan Sartin said in a press release on the study. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now.”
According to the report, 32% of security events in the healthcare community we caused by stolen assets, 23% involved privilege misuse and 22% were labelled as Miscellaneous but included errors such as inappropriate publishing of information and sending PHI to the wrong individual.
The study showed that laptops were usually the most common device stolen or lost across all industries. Not surprisingly stolen devices were more likely to be taken from a work area (39%) or an employee’s personal vehicle (almost 34%). In our experience during Risk Assessments, notebook and tablet computers using in healthcare facilities are not secured to any reasonable degree and frequently contain PHI or have easy access to cloud-based Patient Tracking portals.
Many HIPAA security incidents were caused by privilege misuse, which involved inappropriate or malicious use of company resources. The majority of events were the result of privilege abuse, closely followed by data mishandling and use of unapproved hardware or software.
What may surprise some security managers, mishandling of data in the form of improperly mailing patient information by staff members or uploading PHI to a sharing service are common occurrences. Not surprisingly, reporting shows that a large percentage of breaches were discovered and reported by resources outside of the organization breached which can be quite embarrassing to an organization not to mention damaging it’s reputation.
How do you deal with reducing these risks? First and foremost, security training should be ingrained within the culture of your organization. It can’t be a “one and done” or a “sometimes thing”. Your staff needs to be consistently reminded of their responsibility to both you and your patients. Second, you need an independent review of your security and processes by someone outside of your organization. Your internal security personnel may be too close to the system they built and can’t be objective. It’s only natural for someone to believe they’re doing a good job while their own internal biases can affect their objectivity.
If you haven’t had an independent Risk Assessment conducted in the last year and/or reviewed the effectiveness of your security practices and privacy training program, you’re at risk and should begin looking to build a corrective actions plan immediately.
