Latest news in Nephrology on November 19, 2018 (5 out of 5)

Your personal identity may fall to the mercy of sophisticated hackers from many websites, but with regard to the security breaches of health data, hospitals, doctor's offices and even insurance companies are often the culprits .

A new study from Michigan State University and Johns Hopkins University found that more than half of privacy breaches, or PHIs, were due to internal problems with medical providers, and not to hackers or to third parties.

"There is no ideal way to store information, but more than half of the cases reviewed were not triggered by external factors, but rather by internal negligence," said John (Xuefeng) Jiang, author Principal and Associate Professor of Accounting and Information Systems at MSU's Eli Broad College of Business.

The research, published in JAMA Internal Medicine, follows the joint study of 2017 that showed the extent of data breaches in hospitals in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over a seven-year period, with 33 hospitals having more than one substantial violation.

For this article, Jiang and his co-author, Ge Bai, associate professor at John's Hopkins Carey Business School, delve deeper into the search for triggers for PHI data breaches. They examined nearly 1,150 cases between October 2009 and December 2017, which affected more than 164 million patients.

"Whenever a hospital is victim of a data breach, it must notify the Ministry of Health and Human Services and categorize what it believes to be the cause," Jiang said. , a scholar at the Plante Moran faculty. "These cases fall into six categories: theft, unauthorized access, computer hacking or computer incident, loss, improper disposal or" other "."

After reviewing detailed reports, evaluating notes and reclassifying cases with specific criteria, Jiang and Bai found that 53% resulted from factors internal to the health care entities.

"A quarter of all cases were caused by unauthorized access or disclosure – more than twice the amount caused by external hackers," Jiang said. "It may be an employee who brings home personal health information or transfers it to an account or personal device, accesses data without authorization, or even through e-mail errors, like sending to bad recipients, copying instead of blindly copying or sharing unencrypted content.

While some of the mistakes seem common sense, Jiang said that big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise the personal data of patients.

"Hospitals, doctors 'offices, insurance companies, small doctors' offices and even pharmacies are making these kinds of mistakes and putting patients at risk," Jiang said.

Theft accounted for 33% of external violations, with hacking being credited with only 12%.

Some data breaches can have minor consequences, such as obtaining phone numbers of patients, but others can have much more invasive effects. For example, when Anthem, Inc. was the victim of a data breach in 2015, 37.5 million records were compromised. As many victims were not informed immediately, we were not aware of the situation before filing their tax return and discovering that a third party had fraudulently transmitted it with the data obtained from Anthem. .

While software and hardware security can protect against theft and hackers, Jiang and Bai suggest that health care providers adopt internal policies and procedures to tighten processes and prevent internal parties from disclosing personal health information by following a set of simple protocols. Procedures to mitigate storage-related PHI violations include the transition from paper medical records to digital medical records, secure storage, the shift to non-mobile strategies for patient-protected information and the implementation of encryption. Procedures related to PHI communication include mandatory verification of mail recipients, adherence to the copy-to-blind protocol (cc & cc) and encryption of content.

"Not wearing all of the armor has paved the way for health care entities to attack the enemy," Bai said. "The good news is that armor is not difficult to put on if simple protocols are followed."

Next, Jiang and Bai plan to take a closer look at the type of pirated data from external sources to find out what digital thieves are hoping to steal from patient data.