As technology continues to advance, the world becomes increasingly connected. Advances in information and communication technology have helped the healthcare industry replace paper-based systems with electronic health records (EHRs) that provide better, more cost-effective service. EHRs offer an easy way for doctors and patients to communicate digitally, but they also benefit patients by enhancing their care through shared medical histories, improved diagnoses of disease, full access at all times, and reduced waiting room time, and it makes it easier for providers to find what they need quickly! A modern health care organization should be able to rely on its network servers to collect sensitive data from customers at any time and help facilitate patient care when needed. This makes medical records immediately available in case of an emergency or other unexpected event—no longer should patients have to wait until they are obtained by more traditional means such as faxing them over or making an appointment with someone who has physical copies of your information stored locally. But, like most things, there is a downside: this very same practice creates potential security risks such as software vulnerabilities, human error, unauthorized access, and digital interception. This blog is intended to uncover some of the primary high-risk areas where data security can be breached.
Data Breaches by the Numbers
The number of data breaches in the healthcare industry has steadily increased since 2005. According to an in-depth study by The National Center for Biotechnology Innovation (NCBI), the total number of individuals affected by all reported breaches between 2005 to 2019 was 249 million, with 157.4 million of those individuals being affected within the last five years. In 2018 alone, 2216 data breaches spanning 65 different countries occurred worldwide. Of these, 536 were within the healthcare realm. The numbers don’t lie: Healthcare cybersecurity violations continue at alarming rates around the world every day, and there’s no sign of it slowing down.
Healthcare breaches cost, on average, two times more than others. Breaches in the healthcare industry have cost companies an average of $6.45 million, which is significantly higher than other industries’ average of $3.92 million, according to IBM’s 2019 data breach report. These costs represent increases as well: from 2014 to 2019, the median price for lost or stolen patient information increased by 12%.
Action vs. Location
There was data within this report that seemed point towards “paper/film” as the primary culprit behind most instances of PHI exposure. This data clearly ran contrary to the results of our recent poll and our own sense as to what was going on with PHI being exposed. As we dug deeper within the report, we found information that clearly supported hackers targeting EHR’s, the primary source of leaked PHI. What we discovered was a delineation between an action taken that leads to the exposure of PHI versus the location where PHI is most susceptible to being leaked.
Types of Healthcare Data Breaches
HIPAA data breach reports suggest that the primary means by which PHI is exposed is through hacking incidents, internal unauthorized disclosures, theft or loss from within a company’s facility, and improper disposal of records.
- From 2010 to 2019, a total of 2860 data security breaches were carried out through the aforementioned disclosure types.
- 29.72% were due to hacking or IT incidents.
- 29.47% were due to internal unauthorized disclosures.
- 37.65% were due to cases of theft and loss.
- 3.14% occurred due to the improper disposal of unnecessary but sensitive data.
The most common type of data breach is theft/loss, followed by hacking/IT incidents, and then unauthorized internal disclosure. Very few breaches are a result of improper disposal.
Hacking events have seen a significant rise. From 2010-2019, 692 out of 850 were reported over four consecutive years (2016 – 2019). This accounts for 81% percent and a shocking 32% are from just 2019 alone.
While the above gets to the heart of the type of activity that led to a breach, in this section we’ll look at the location where the data was stored when breached. The various locations where PHI can be breached are as follows:
- Electronic Medical Records (EMR)
- Desktop computers
- Other portable electronic devices
- Paper documents
- Network server
Paper and film are the most susceptible to data breaches, according to the NCBI analysis. Out of the eight locations in question, Paper/Film account for 575 out of 3,253 breaches, which is 17.67% of the total. Email was at 17.52% and network servers accounted for 16.69% of data breaches.
Paper and film were found to be the easiest target for data leakage given the improper disposal of unnecessary documents that contained PHI.
Contrary to widespread belief, Electronic Medical Records (EMR) saw the fewest instances, at just 5.99% of the total incidents carried out in the same time period. Other Portable Electronic Devices made up 6.64% of the total, while desktop computers accounted for 9.40% of the total. Attacks on email and network servers showed a significant increase from 2016–2019. Out of a total of 570 email location-based data breach incidents, 457 were reported in the last four years (2016 to 2019) alone, of which 35.03% were reported in the year 2019. Similarly, out of a total of 543 network server location-based data breach incidents, 348 were reported in the last four years (2016 to 2019). Again, 22.03% of these cases were reported in 2019.
The digitization of healthcare organizations and excessive use of smart devices by customers is a significant leading factor in the occurrence of security breaches. Studies show that outdated security software, database servers with no password protection, or email accounts without any passwords are the most often cited reasons for security breaches. To make matters worse, our analysis also revealed a small decrease in paper/films on desktop computers and laptops, which were sites where many data leaks occurred over the last four years
The number one reason there have been so many such violations lately has everything to do with how much we rely on technology–and not just in hospitals. Outdated cybersecurity technologies combined with an increased reliance upon mobile phone usage among patients can lead all too easily to major breaches of PHI. However, our historical reliance on paper has produced the easiest avenue for nefarious actors to gain access to PHI. As we progress towards a fully digital healthcare landscape, the impact of paper has lessened, but it still poses a significant threat that hospitals should be aware of. While digitization is the clear answer to solving paper-based PHI exposure, it is clear that digitization has its own inherent risks. Given that healthcare data is a prize among hackers, we can expect their efforts, capabilities, and sophistication to increase over time.