According to a new report on healthcare data breaches in 2017, the three greatest threats to data security and privacy this year have been human error, hacking/malware and insiders. To prevent breaches, all industry players need to ask themselves if they are vulnerable to these threats and ensure that their software systems are updated.
- Unintended Disclosure: 41 percent (the large majority) of breaches are the result of unintended disclosure, a.k.a. user mistake or human error. These incidents can come in the form of emails inadvertently sent to the wrong recipient or emails that contain protected health information (PHI). Discharge instructions may be given to the wrong patient, or a server containing PHI can be accidentally left open to the public. Workforce training and education can go a long way to diminish incidents of unintended disclosure.
- Hacking or Malware: Hackers have continued to disproportionately target healthcare organizations in 2017, organizing significant and sophisticated attacks that account for 15 percent of breaches so far this year. Phishing attacks on hospitals, insurance providers, medical equipment suppliers and others have resulted in the leaking of tens of millions of patient names, social security numbers, medical records, diagnoses, treatment information and other clinical data.
- Insiders: Disproving the old-fashioned theory that the best way to protect data is to keep it close to home are continuing reports of employee snooping or physical theft of on-site devices and data, which account for 15 percent of breaches (physical loss can be blamed for another 8 percent). Typically this can involve an employee viewing records without a work-related reason. Of note, the number of breaches attributed to employees are on the rise, but they are generally easier to mitigate than external threats.
Though the healthcare industry was slower to adopt cloud computing than other industries, but most healthcare providers and employers now overwhelming believe that patient and employee benefits data is safer being managed by a software-as-a-service (SaaS) company than it is with on-premise software. SaaS platforms are also more likely to have data engineers and software experts dedicated to continuously monitoring and guarding accounts for the above threats.
How can a company know if a SaaS provider can be trusted to provide secure custody of data? Verify that they understand the regulatory requirements and are strictly compliant with HIPAA, SSAE 16 and PCI.