ePHI Data Breaches: How to Reduce the Human Risk

As we wrap up 2017, the number of healthcare data breaches are up over 2016, with 41% caused by “insiders” per the Protenus Breach Barometer mid-year review. Scarily, insider cybersecurity incidents affecting patients are on track to be far greater than 2016’s 2 million patients affected, with 1.17 million individuals already impacted as of the end of June 2017.

While not all healthcare data breaches are reported to the Department of Health and Human Services (HHS), these statistics are enough to shock the most naïve about how serious the risk is. The common denominator: us. Whether the data is compromised intentionally or through simple human error, direct human involvement remains one of the main causes of data breaches in the healthcare industry. Simply put - more needs to be done by healthcare entities to help prevent insider incidents, such as using technologies to detect breaches, and investing in security awareness training for ALL employees.

HIMSS North American Director, Privacy & Security recommends it too, particularly for healthcare providers, “Thinking about the larger hospitals and entities, they need to make sure their staff are going through the latest and greatest training for cybersecurity and keeping their knowledge up,” said Lee Kim, JD.

5 Ways You Can Improve Healthcare Data Protection

• Invest in a Chief Information Security Officer (CISO) and provide them with the personnel and company wide buy-in needed to set them up for success. Risk-reducing tip: Encourage the CISO to ally with the privacy officer for employee cross-education and cross-department goal-setting.
• Use the “latest and greatest training.” Go with scenario-based training vs the typical yawn-inducing slide presentations. There are technologies available such as KnowBe4 and PhishMe which help you manage the IT security problems of social engineering, spear phishing and ransomware attacks. Training should also be completed more frequently than once a year.
• Evaluate the security of your IT infrastructure with penetration testings. “Pen tests” use skilled cybersecurity and network testers to push barriers and look for cracks in hardware and software, as well as identify staff security issues.
• Pad your security toolbox with low cost options. Not every healthcare organization can afford a top tier, robust security team or the associated technical tools, but security still needs to be made a priority. Start with the basics such as Anti-Virus software, firewalls and limiting employee access to sensitive data.
• Create a Culture of Cybersecurity. From management to front desk, everyone feels more secure when they know their role in relation to healthcare data cybersecurity. Employee education, walking the talk, security basics – all lead to organization-wide security awareness.

We’re only human. There’s no eradicating human error any more than we can end cybercrime. However, employees – aka insiders – may be today’s greatest risk, but also potentially tomorrow’s best defense.

Stopping data breaches in 2018 needs to be a priority for all healthcare entities. To learn more about how Ostendio can help you be secure and compliant, contact us for a free demo.