More PHI Breaches Caused by Providers, Insiders, Report Says
More Protected health information (PHI) is leaked by healthcare providers, not hackers, academic research by Michigan State University and Johns Hopkins University released Monday says.
Researchers say that when it comes to data breaches, more than half of the PHI leaked over the last eight years was compromised because of internal issues with healthcare providers.
The findings come via research published on Monday in the Journal of the American Medical Association. Researchers from Michigan State University and Johns Hopkins University said "internal negligence" was the biggest culprit of breaches between October 2009 and December 2017.
The research, “Evaluation of Causes of Protected Health Information Breaches,” was carried out by Xuefeng "John" Jiang, Michigan State University associate professor of accounting and information systems, and Ge Bai, associate professor at the John's Hopkins Carey Business School
Jiang and Bai operate under the assumption that PHI security is a concern for all involved - policymakers, health care entities, and the public - but posit that there hasn't been appropriate research conducted into the cause of breaches and how entities can best mitigate future breaches after one is detected.
Specifically Jiang and Bai looked at 1,150 cases affecting 164 million patients and found that 53 percent of the breaches were caused by internal causes with the lion's share, 25 percent, stemming from unauthorized access or disclosure. The remainder was caused by either theft, hacking, improper disposal, or simply the loss of the data.
“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said in advance of the report’s publication last week. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
The report shouldn't diminish the threat of hackers on a healthcare organization however; hacking accounted for 20 percent of the incidents the two researchers looked at. Bigger still, the number of records stolen by hackers: 133.8 million.
In the report the researchers stress that health care providers should adopt internal policies and procedures to tighten processes and prevent internal parties from leaking PHI by following a set of protocols. Organizations can and should transition from paper to digital records, move to non-mobile policies for patient-protected information and implement encryption if they haven't yet.
The research in recalls research published last month by academics at Massachusetts General Hospital's Center for Quantitative Health. In that report researchers looked at data breaches from 2010 to 2017 and found that the most healthcare records are lost by large health plans, 110.4 million over the period they looked at.
Monday’s paper follows up one released by Bai and Xuefeng and assisted by Renee Flasher, now an assistant professor at Penn State Harrisburg, in 2017. That research, “Hospital Risk of Data Breaches,” combed through data from the Department of Health and Human Services to determine which type of hospitals face a higher risk of data breaches. Their research suggested that larger facilities and hospitals that have a teaching mission are tied to the greatest risk of a breach, namely due to their "broad access to health information, essential for hospitals' quality improvement efforts and research and education needs."