Healthcare data breaches occur when sensitive information, including both personal (e.g., name, social security number, address) and private health data (e.g., medical history, health insurance information), is exposed to unauthorized parties. Because this type of information is confidential and should only be accessible to authorized healthcare providers, breaches should be uncommon. In reality, the number of breaches is increasing over time. A 2016 study on the privacy and security of healthcare data found that almost 90% of the medical institutions assessed had experienced a data breach in the previous two years.
When people hear about medical fraud and identity theft, they may assume that external entities, such as hackers, are the primary threat. However, the majority of data breaches are actually due to internal factors such as employee errors or carelessness [see figure below]. In fact, when it comes to data breaches, hospitals are actually more concerned about employee negligence than online security. The most common cause of internal breaches is mailing error, such as sending information to the wrong person. Lost or stolen equipment is another preventable factor that can lead to unintended exposure of many patients’ private health information. Resulting damages of these data breaches can include patients receiving the wrong treatment, having their healthcare benefits exhausted, losing life and health insurance coverage, or having their benefits denied because of misuse by an imposter.
A simple solution to minimize breaches is providing healthcare staff with better overall training and more comprehensive information about the importance of maintaining data integrity. We all know how easy it is to be fooled by a seemingly legitimate phishing scam, whereby simply clicking on an enclosed link in an email can be dangerous. Healthcare workers are no exception, and mandating explicit training in how to avoid unintentionally providing access to privileged information is one way to reduce this type of vulnerability.
In contrast to issues with online security, privacy can also be breached in simple conversation. That’s why it’s also important to make sure all members of a healthcare team exercise proper discretion when dealing with sensitive information. Because hospitals are public spaces, it’s easy to overhear what others are saying. When hospital staff talk with/about patients, they risk revealing information to anyone close by. To avoid this, it’s important to foster awareness of confidentiality and stress why it’s important.
Whether personal health information is obtained via internal or external factors, it is an enticing target for cybercriminals. Healthcare records contain far more useful information than simple credit card data, and are sold on the black market for almost 60 times the cost. Targeting internal causes of data breaches through better training can help reduce their occurrence and keep your health information private and confidential.
The fact that internal data breaches are so prevalent shows how important it is that healthcare providers are self-aware enough to take stock of how their own actions can contribute. This is where it’s essential to have workers who are detail-oriented, conscientious, and empathetic. The last thing patients need is to have additional concerns about their health exacerbated by disclosure anxiety.
Written by: Elizabeth van Monsjou, Ph.D.