As a digital healthcare technology company, we have a great appreciation for the complex business challenges and requirements for stringent security measures inherent with the health care industry. Like the financial sector, health care companies deal in regulated data. As such, any leakage of this regulated data, protected health care information (PHI) in a hospital’s case, is a big deal. Over the past several years hackers have largely directed their efforts towards obtaining healthcare data more so than any other industry due to the high value healthcare data brings on the black market. Along with the increased focus on the health care industry, the frequency and sophisticated nature of attacks has increased as well.
One can expect that this trend of hackers targeting hospitals with greater specificity, frequency, and capabilities will only continue. Therefore, it is imperative that all health care professionals should be better informed and trained in order to increase the vigilance required to reduce the likelihood of nefarious or inadvertent leakage of PHI. Within this blog there are two key points we feel are not widely understood within the healthcare community that we would like to shine a light on. These two key points deal with “action” and “location”. It is important that health care professionals understand what each of these items are, and the role that they play in context of leaking PHI.
An Honest Path of Discovery Starting with a Poll
Recently we conducted a poll focusing on security aimed at a variety of health care professionals within hospitals all across the US. We asked the audience a very simple question: “In the past 10 years, which one of the following Health Information Breaches is the Leading Source?”. We found the results to be not terribly surprising and they are listed below.
What became interesting was the development of an internal discussion here at access once we started researching data found within a report titled “Healthcare Data Breaches: Insights and Implications” published by National Center for Biotechnology Information.
There was data within this report that seemed point towards “paper/film” as the primary culprit behind most instances of PHI exposure. This data clearly ran contrary to the results of the poll and our own sense as to what was going on with PHI being exposed. As we dug deeper within the report, we found information that clearly supported hackers targeting EHR’s, the primary source of leaked PHI. What we discovered was a delineation between an action taken that leads to the exposure of PHI versus the location where PHI is most susceptible to being leaked.
Action vs. Location
Action | Data Disclosure Types
Action represents what happened that caused the disclosure of Phi. In this study there were a number of different types of actions represented. These actions range from hacking or malicious attacks, intentional insider attacks, physical damage, computer loss, and unintentional loss.
Location | Area of Breach
The location represents the area where the breach of PHI occurred. Locations range from EMR, laptops and desktop computers, personal electronic devices, paper and films, and email.
What became clear is that many people are unaware of the differences between the action taken to disclose PHI versus the locations where PHI is acceptable for exposure. In this blog we have laid out the groundwork for understanding the differences between these two elements in a broader data security story. In the next blog we will dive deeper into the numbers that reveal the true nature of what’s happening with the exposure of PHI. Stay tuned!