The Majority of EHR Security Breeches Are Inside Jobs

Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.

According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends

Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.

Some of the report’s key findings include:

Top breaches by type:

When a breach occurred, it was detected in:

Once a breach was detected, it was resolved in:

According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”

Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.

For more details about how to create a BYOD plan, take a look at this recent post: Creating a BYOD Plan Protects Your Practice and Your Employees.

Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.

A 12-step Program to Ensuring the Secure Data in Your EHR Stays That Way

This line pretty much sums it up: Improve quality of care through electronic health records.

Apparently, it’s a motto of sorts for the New York City Department of Health and Mental Hygiene. Not bad when you think about it. Sort of has a “I-love-health-IT” ring to it.

As cool as the organization’s unofficial motto, it features a wealth of great information about the benefits of EHRs, how they can improve healthcare and patient outcomes and steps practice leaders need to take when working to protect the data contained in the records.

As such, NYC’s health department site is filled with great advice for practice administrators to take to create proper procedures and practices to maintain data security.

Here’s a nice, 12-step program for you, courtesy of the NYC:

1. Continue following the rules and regulations set forth by HIPAA. Do not leave printed patient health information where others have access to it. When scanning information into a patient’s EHR, destroy the paper copy when it is no longer needed. Unlike paper charts, it is easy to see a computer screen from across the room. Computer screens should not be visible from the waiting room, check-in area or any place an unauthorized person may be able to see a patient’s EHR. Install privacy filters on monitors to block anyone from viewing the computer from a side view.

2. Install antivirus, intrusion detection and firewall software.

3. Do not use social security numbers as a unique patient identifier. This is something I’d like to see adopted universally in healthcare. There’s no need for my SSN to be sitting on the top of my new patient forms for all the world to see.

4. Patients have the right to control who sees their information. Whether or not an EHR system is in place, do not share patients’ health information with anyone unless the patient has personally authorized it or such disclosure is authorized by law (e.g., mandated disease reporting). Ensure that employers,marketers and law enforcement or immigration officers do not have access to patient records. If your practice is part of a Health Information Exchange network, patients have the right to choose whether or not they will participate. Patients have the right to revoke their consent for sharing information.

5. Patients should understand their rights to consent, as listed in #4 above.

6. Always log out of the EHR system when leaving the computer. If EHRs are left open on the screen, other people can access and/or modify patient information. This activity will be logged as the user’s and he/she may be held accountable for any privacy violations.

For more about this subject, take a look at this insightful article by Dean Wiech of Tools4ever.

7. Keep all passwords safe and secret. Create a password carefully. Passwords should not be obvious, such as birthdays, pets’ names or favorite sports teams. Think of something that is easy for you to remember, but impossible for anyone else to guess. Never share passwords. If anyone asks a staff member for his/her password, the staff member should report that person immediately to the practice administrator. Passwords should not be posted or written down near the staff members’ desks. Change passwords every three months.

8. Ensure hardware is safe and secure. Portable computers are easy to steal. Computers, servers and other equipment that contain data should be locked in a secure place when not being used.

9. Be careful when accessing EHRs from outside of the office. When opening a patient’s EHR in public, make sure no one can see the computer screen. Only access EHRs from a secure Internet connection.

10. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.

11. Keep up with staffing changes. If an employee leaves the practice, change the user’s status to inactive. This means they can no longer sign in with their old password.

12. Review audit trails periodically. Reviewing audit trails can alert practices to potential system abuse or misuse. Some staff members forget to log out of their system, as well as access parts of the EHRs that are beyond their practice function. Audit trails can let practice administrators know when this occurs and take appropriate action.

So, as the old saying goes, “The more you know,  the further you’ll go.”

One-on-one with digiChart’s CEO Phil Suiter