Hackers are not the main cause of health data breaches

(Reuters Health) – According to a new study, most health data breaches in the United States in recent years have not been the result of hackers, but rather errors or errors in the security of people. health care organizations.

The researchers looked at data released by the US Department of Health and Human Services on 1,138 health data breaches, reaching a total of 164 million patients from October 2009 to the end of 2017.

Hackers got their hands on records for a total of 133.8 million patients in 233 separate incidents during the study period.

But the main cause of data breaches, accounting for 42% of the cases and 472 incidents, was the theft of equipment or information by unknown people or by current or former employees, revealed the company. study.

In 25% of the cases, employees had made mistakes, such as sending by mail or e-mail records to the wrong person, sending unencrypted data, retrieving records or the transmission of data to accounts or personal devices.

"More than half of the violations were caused by internal neglect and are therefore, to some extent, preventable," said study co-author, Ge Bai, of the Johns Hopkins Carey Business School at Washington, DC

Some health care organizations have put protected health information (PHI) on their websites without any protection by negligence, Bai said by email. Other times, employees did not use encryption even when they had access to an encryption tool.

"Numerical errors like these, as well as bricks and mortar, account for more than half of the violations," Bai added. "Our finding clearly has a positive side: it is not difficult to mitigate the risks of violation if health entities ensure that their employees apply simple protocols."

To address data breaches related to improper storage, health care organizations should move from paper-based medical records to digital medical records, Bai said. They should also avoid using mobile devices for protected information and instead use encryption, firewall protection and data storage in the cloud.

In addition, violations related to poor communication practices can also be avoided, Bai said. To do this, health care organizations must require a mandatory recipient verification, verify that no private information is exposed in the envelope windows of documents sent by mail and s & rsquo; ensure that encryption is used for email.

Mobile devices were involved in 46% of the cases, while paper records accounted for only 29% of the violations, the researchers report in JAMA Internal Medicine.

Employees taking data to their homes or forwarding them to personal email accounts contributed to 74 violations in the study, or about 6.5% of cases.

The study also found that mailing errors accounted for two-thirds of data breaches involving employee communication errors.

The study was not a controlled experiment designed to prove whether, or how, specific policies adopted by health care organizations could help prevent or enable security breaches.

SOURCE: bit.ly/2qSxnZv JAMA Internal Medicine, online 19 November 2018.