Totally Avoidable Causes of Data Breaches

July 21, 2016

The top reasons healthcare data is breached are totally avoidable through low-hanging methods of security.

In the last six years, 155 million Americans' health data was compromised and healthcare became the single most breached industry, according to a recent Brookings Institute report, by Niam Yaraghi. Healthcare data is particularly attractive because it includes information that isn't easily changed (e.g., Social Security numbers, dates of birth, and home addresses) which is therefore more valuable to identity thieves than other types of data.  For instance, contrast this with a retail store breach: the credit card numbers targeted are easily changed afterward. While the cost of a data breach is estimated at $363 per patient, most breaches involve thousands of records. Thus, the breach of even a thousand records can cost of several hundred thousand dollars. In addition to the financial hit, there may be long-term damage to your reputation, loss of revenue if patients leave your practice, and fines for HIPAA violations.

Why do breaches occur? The "Verizon 2016 Data Breach Investigations Report" and its sub-report focusing on healthcare provide surprising data. Nearly three quarters (73 percent) of healthcare data breaches are due to just three factors: 32 percent are attributable to theft and loss - more than twice the proportion (15 percent) of other industries; 23 percent is from privilege misuse; and 18 percent is from "miscellaneous errors."

The silver lining of these statistics is that many data breaches can be avoided. It's likely you're already doing some of these things. The 2016 Physicians Practice Technology Survey indicates that physicians are beginning to pay more attention to data security - 29 percent of respondents said they have instituted a personal mobile device policy (BYOD) at their practices. Here are three categories of data security that your practice needs to consider. This isn't everything you need to do, but think of it as low-hanging fruit for data breach prevention.

1. "Data loss and theft" just boils down to securing physical devices and data.

• Train staff to handle mobile devices and data storage devices like backup tapes and USB flash drives to avoid theft. A laptop left on a car seat or backup tapes left in the car overnight are still among the most common causes of breaches.

• Enforce clear policies for mobile devices, including personal cellphones, tablets, and laptops. If staff access work data, they must have basic security measures in place, such as a password or PIN and automatic screen locking.

• Apple, Google, and Microsoft offer free tools for basic device management. If a doctor loses their iPad or Android phone, these tools let you locate or remotely wipe the data from the device.

• Encryption is your friend. If an unencrypted backup tape, USB flash drive, phone, or laptop is lost or stolen, you need to assume it will be breached. If it's encrypted: there's little risk of a breach. Encryption is now a standard feature on all newer devices. Both Windows (Bitlocker) and OSX (FileVault) offer free encryption features for laptops. iOS devices and recent versions of Android phones include encryption as well.  

• Small in size with gigantic capacity, USB flash drives seem destined to be lost. Secure them with encryption if you must use them, but chances are using HIPAA compliant cloud storage will be a safer solution for your practice. Just make sure staff know not to copy work data to their personal Dropbox, iCloud, or OneDrive accounts.

2. "Privilege misuse" has some simple basic methods to avoid.

• Disable staff and vendor accounts as soon as they leave your practice.

• Avoid shared accounts (i.e., used by more than one person), especially those with broad access to systems. Create individual Administrative level accounts for these staff. If everyone is using the same administrative account, things get complicated when someone leaves or is fired.

• Use the auditing functions in your EHR for reviewing the alerts and reports to monitor any unusual activity.

• Set up EHR accounts based on job roles: you'll probably find you can do with a small number of easily managed roles. This makes it clear who has access to what and also will reduce errors.

• Many devices have default passwords. Hackers love default passwords so change them.

3. "Miscellaneous errors," the "oops" events to avoid.

• Educate staff to not click links or open attachments in emails. For example, staff should be aware that a prime ploy of ransomware is emails that have "invoices" or "remittances" attached.

Securely remove data or destroy devices before disposing of them. Simply deleting files from a hard drive or USB flash drive deletes their entry from the device's "table of contents," but the data itself likely remains on the device.

• Train staff not to send any healthcare data over regular (i.e., non-encrypted) email. If you're using Microsoft Office 365 or a patient portal: Set up secure messaging and use it.

Enable installing updates automatically - systems which haven't been updated for months or even years are breach magnets.

• Finally, if your EHR vendor offers it, consider using a cloud-based EHR. A cloud-based EHR runs on servers secured and managed by the vendor, relieving you of burdensome tasks such as configuration, updates, and patching - these can be risky if not done consistently and correctly.

Stephen McCallister, CPHIT, CPEHR, is a health IT consultant with over 20 years' experience managing technology for healthcare organizations. As chief information officer, he planned and implemented IT systems for multiple practice mergers and served as HIPAA Security Officer.  He can be reached at steve.mccallister@frontier.com.