Hacking or IT incidents is the major cause of healthcare data breaches of 2017. 17 out of the top 20 were of this cause. In comparison to the previous years, hacking/IT incidents only accounted for 11 in 2016 and 12 in 2015 out of top 20 data breaches. The increase in hacking incidents is partly due to more ransomware attacks on healthcare organizations occurring in 2017. Also, healthcare organizations improved their ability to discover breaches.
Another cause of healthcare data breaches are unauthorized access/disclosures. There’s a slight decline in incidents of this nature though the improper disposal of electronic gadgets storing PHI and physical records of PHI increased. It was helpful that more healthcare organizations had implemented encryption of stored data in portable devices and laptops. This reduced ePHI exposure from stolen electronic devices.
What can healthcare organizations do to minimize the risk of data breaches? Based on OCR’s audits, the problem with HIPAA-covered entities is the widespread non-compliance with HIPAA rules. Compliance will not stop all data breaches, but it will help stop majority of the data breaches.
Many healthcare organizations fail to conduct an enterprise-wide risk analysis. Even if there’s no lack in their cybersecurity defenses, vulnerabilities still exist without the risk analysis to identify security gaps. If not addressed, these gaps will be exploited sooner or later.
It is all right to invest in new cybersecurity technology. But don’t forget to do the basics, which is often the reason for data breaches. Apply software patches promptly. Use secure passwords. Configure cloud storage services correctly. Employees must take care of unencrypted laptops. Don’t leave them in the vehicle unattended.
Provide ample training for employees to avoid phishing or social engineering scams. It’s not enough to put technological solutions to block phishing emails. Employees must know how to recognize phishing scams and deal with them.
Insiders or healthcare employees who steal data in exchange for cash from identity thieves is one more cause of healthcare data breaches. Healthcare providers must make sure that policies and procedures are implemented to discourage unauthorized access and stealing of records. There must be frequent audits and automated monitoring of access logs.
Ensure there are data backups so that when ransomware attacks and the hacker ask for ransom, there’s a way to restore files without paying ransom. If healthcare organizations will simply do the above recommendations, it is possible to reduce if not stop the incidents of data breaches.