As reported by the HIPAA Journal, October 2019 was the worst month for healthcare data breaches on record, with a total of 52 incidents reported. While only two of the top 10 incidents in October involved unauthorized access or disclosure of PHI, it was the cause of over half (54%) of all incidents. This makes sense as many of these types of incidents are, by nature, rather small – an employee inadvertently (or maliciously) accesses or discloses information involving a limited number of patients.
November fared somewhat better with only seven incidents of unauthorized access and disclosure, none of them in the top 10. However, December 2019, did not end so well, with two notable incidents being reported in the last few days of the month.
Questions to Ask
Unauthorized access or disclosure incidents may be the result of simple curiosity, human error, or malicious intent. To prevent these types of incidents from occurring in your organization, it’s important to not only understand why these errors happened but also to assess the likelihood of similar errors happening in your organization.
As you review your IT Security and HIPAA Compliance strategies for 2020, here are a few questions to consider:
1 Do our employees have the skills they need to do the job?
There’s no escaping technology in modern healthcare, and many cases of inadvertent disclosure can be prevented by ensuring employees know how to use healthcare systems safely and securely.
2 Do we have proper supervision of work?
Employee empowerment is a good thing – usually. But, when it comes to PHI, it’s important to have checks and balances in place. The incident in Michigan was reported by another employee. The HIPAA Security Rule also requires proper supervision, so this safeguard isn’t optional.
3 Have our employees been thoroughly trained on HIPAA rules about handling PHI?
Workforce training is also required by the HIPAA security rule, but the regulation doesn’t specify how often this training is to be held or how extensive it needs to be. You’ll need to make that call based on your knowledge of your staff.
4 Do our employees demonstrate sound IT security habits?
While your doctor may warn you about the dangers of sharing straws, many of them evidently aren’t aware of the dangers of sharing passwords. In a 2017 study, 73% of medical providers said they had used a colleague’s login credentials to access EHR (electronic health records) while at work.
5 How well do we manage access to our systems?
In one cross-industry study, 50% of IT leaders said they didn’t immediately de-provision the access credentials of terminated employees. Disgruntled former employees often have plenty of time to gather data that can be sold on the dark web or just used to satisfy a perverse sense of curiosity.
6 How well are we managing our mobile devices?
As we mentioned in a recent post, smartphones can be HIPAA compliant, but they need to be managed well. The same goes for laptops and tablets. And just recently, there was another report of a stolen laptop exposing nearly 5000 patient records.
Looking Forward to the Year Ahead
There are lots of reasons to be excited about 2020. However, the data security threat landscape probably isn’t one of them. As mentioned at the top of this article, 2019 was a challenging year for healthcare organizations, and 2020 is shaping up to be a bumpy ride as well. Contact us today with any questions and follow us for more strategies on how you can protect yourself from data breaches and other types of IT incidents.