As reported by the HIPAA Journal, October 2019 was the worst month for healthcare data breaches on record, with a total of 52 incidents reported. While only two of the top 10 incidents in October involved unauthorized access or disclosure of PHI, it was the cause of over half (54%) of all incidents. This makes sense as many of these types of incidents are, by nature, rather small – an employee inadvertently (or maliciously) accesses or discloses information involving a limited number of patients.
November fared somewhat better with only seven incidents of unauthorized access and disclosure, none of them in the top 10. However, December 2019, did not end so well, with two notable incidents being reported in the last few days of the month.
First, an employee at a community health facility in Michigan was found to have been accessing patient records, without authorization, for the last three years. It appears to be a case of curiosity, and the medical facility is providing more training for employees. No word yet from the OCR on whether additional action will be taken against the employee or the facility.
Another incident at a children’s hospital in Chicago was also reported. This unauthorized access spanned roughly a year, from September 2018 to September 2019. The hospital notified patients and said that it didn’t appear that any information had been stolen but offered no motivation behind the unauthorized access.
6 Questions to Ask
Unauthorized access/disclosure incidents may be the result of simple curiosity, human error, or malicious intent. To prevent these types of incidents from occurring in your organization, it’s important to not only understand why these errors happened, but also to assess the likelihood of similar errors happening in your organization.
As you review your IT Security and HIPAA Compliance strategies for 2020, here are a few questions to consider:
#1 Do our employees have the skills they need to do the job? There’s no escaping technology in modern healthcare, and many cases of inadvertent disclosure can be prevented by ensuring employees know how to use healthcare systems safely and securely.
#2 Do we have proper supervision of work? Employee empowerment is a good thing – usually. But, when it comes to PHI, it’s important to have checks and balances in place. The incident in Michigan was reported by another employee. The HIPAA Security Rule also requires proper supervision, so this safeguard isn’t optional.
#3 Have our employees been thoroughly trained on HIPAA rules about handling PHI? Workforce training is also required by the HIPAA security rule, but the regulation doesn’t specify how often this training is to be held or how extensive it needs to be. You’ll need to make that call based on your knowledge of your staff.
In our experience, quarterly refresher courses on common mistakes and how to avoid them can help keep security and HIPAA compliance top of mind. Regardless of whether the OCR decides to prosecute the individuals involved in the two cases mentioned above, organizations should make it clear that a no-tolerance policy will be strictly enforced.
#4 Do our employees demonstrate sound IT security habits? While your doctor may warn you about the dangers of sharing straws, many of them evidently aren’t aware of the dangers of sharing passwords. In a 2017 study, 73% of medical providers said they had used a colleague’s login credentials to access EHR (electronic health records) while at work.
#5 How well do we manage access to our systems? In one cross-industry study, 50% of IT leaders said they didn’t immediately deprovision the access credentials of terminated employees. Disgruntled former employees often have plenty of time to gather data that can be sold on the dark web or just used to satisfy a perverse sense of curiosity.
#6 How well are we managing our mobile devices? As we mentioned in a recent post, smartphones can be HIPAA compliant, but they need to be managed well. The same goes for laptops and tablets. And just recently, there was another report of a stolen laptop exposing nearly 5000 patient records.
Looking Forward to the Year Ahead
There are lots of reasons to be excited about 2020. However, the data security threat landscape probably isn’t one of them. As mentioned at the top of this posts, 2019 was a rough year for healthcare organizations, and 2020 is shaping up to be a bumpy ride as well. Continue to follow us for more strategies on how you can protect yourself from data breaches and other types of IT incidents. In the meantime, hope you are having a safe and prosperous New Year!