The Majority of EHR Security Breeches Are Inside Jobs
Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.
According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends
Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.
Some of the report’s key findings include:
Top breaches by type:
- Snooping into medical records of fellow employees (35 percent)
- Snooping into records of friends and relatives (27 percent)
- Loss/theft of physical records (25 percent)
- Loss/theft of equipment holding record (20 percent)
When a breach occurred, it was detected in:
- One to three days (30 percent)
- One week (12 percent)
- Two to four weeks (17 percent)
Once a breach was detected, it was resolved in:
- One to three days (16 percent)
- One week (18 percent)
- Two to four weeks (25 percent)
According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”
Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.
For more details about how to create a BYOD plan, take a look at this recent post: Creating a BYOD Plan Protects Your Practice and Your Employees.
Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.