Healthcare News & Insights

Top 3 causes of health data breaches – and how to avoid them

Protected health information is a valuable commodity for cybercriminals, and that means health IT pros must defend against a variety of attacks. What’s most often to blame for a health data breach? 

Data breaches affect nearly all healthcare organizations. In fact, 96% of organizations said they’d experienced a data breach at least once in the previous two years in a December 2011 Ponemon Institute study. Those incidents each caused an average of $2.2 million in financial damage.

Where should health IT teams focus their security efforts? Based on the study of 72 healthcare organizations’ security practices and experiences with breach incidents, these are most common causes of data breaches in health care:

1. Mobile devices

Most healthcare organizations (81%) use mobile devices to store, access or transport protected health information, but 49% admit they don’t do anything to secure them. As a result, the most common cause of health data breaches was a lost or stolen computing device, blamed for 49% of security incidents (note: Respondents were allowed to choose multiple answers, and many incidents were blamed on more than one factor.)

Here are some steps organizations can take to help prevent data breaches caused by lost or stolen mobile devices and other computing equipment:

  • Have a policy about taking information home. As computing devices become more portable, more doctors and other employees are taking patients’ sensitive information home with them — but that increases the likelihood of information being lost or stolen.
  • If you allow the use of personal devices, have a plan to secure them. Devices should be required to meet a list of security requirements, such as encryption, having remote wipe enabled etc.
  • Keep offices physically secure. As laptops become the norm for computing, it’s becoming easier for criminals to break into an office and walk out with a lot of valuable data. Healthcare organizations must invest in physical security controls and regularly audit the security of their premises.

2. Third parties

As cloud computing becomes more common for electronic health records and other IT services, more protected health information is being moved from providers’ premises on to software vendors’. That means sensitive health data could be at risk of being compromised because of an incident at a third-party company. In fact, 46% of the breaches in Ponemon’s study were at least partially blamed on third-party snafus.

Healthcare organizations must take steps to keep data safe when it’s on another company’s servers, including:

  • Verifying vendors’ security practices before signing a contract — including what encryption methods they use, how they conduct background checks on employees, and how breach notifications are handled.
  • Conducting regular security audits and tests to make sure security remains up to the organization’s standards, and
  • Proactively managing security on the other end — for example, organizations should make sure data is encrypted while it’s transferred to the cloud and that only authorized users can access cloud accounts.

3. Employee mistakes

While healthcare organizations face security threats from malicious insiders, a more common insider threat is the employee who accidentally leaves sensitive information open to criminals. That was one of the root causes behind 41% of the breaches looked at by Ponemon.

One key to preventing breaches is offering better security training to employees, as 43% of healthcare organizations believe a lack of trained staff is one of their biggest security weaknesses. Experts say organizations can improve their security training by:

  • Including advice on how employees can keep their own information secure — that personal touch can help make sure security stays at the top of people’s minds
  • Conduct periodic security tests to show stubborn employees that they may not know everything when it comes to security, and
  • Separate employees into a few groups (for example, based on job function) so they don’t have to listen to training that doesn’t apply to them.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.