HIPAA isn’t new, but compliance continues to prove to be a challenge for healthcare organizations. Even meeting HIPAA requirements won’t guarantee protection from every breach. In fact, there was a 25% year-over-year increase in healthcare data breaches from 2019 to 2020. When these breaches expose or compromise Electronic Protected Health Information (ePHI), patient privacy and safety is at risk.
Healthcare organizations face steep costs to recover from an ePHI breach. They must comply with the requirements of the HIPAA Breach Notification Rule and face potential fines and penalties, in addition to coping with reputational damage and the loss of patient trust.
ePHI is any snippet of data that can tie back to a unique patient. Because of the proliferation of ePHI with digital-first healthcare, it’s become difficult to keep this information under lock and key.
5 Common Causes of ePHI Breaches
If organizations fail to secure ePHI, they risk not only penalties from the Office for Civil Rights (OCR) but also the sticky public relations issues that come from a loss of trust. Most importantly, if ePHI is not secure, patient safety is at risk. In this guide, we’ll break down the most frequent causes of ePHI breaches.
1. Unsecured Devices
Unsecured devices are one of the most common causes of ePHI breaches. Since employees may create, view, edit, and process ePHI on laptops, smartphones, and tablets, it’s never been easier to share ePHI. If employees lose their devices and/or fail to secure them, sensitive data is at risk of exposure or compromise. This is a clear HIPAA violation because nefarious actors can potentially access thousands — perhaps even millions — of patient records.
This is no small problem, either. For example, in 2019, one New York-based medical center agreed to pay a $3 million judgment for potential HIPAA violations, along with agreeing to take substantial corrective actions. The reason for the breach? A lost flash drive and laptop containing unencrypted patient information.
It’s tempting to limit employee access to electronic devices, but clinicians need these devices to improve the quality of patient care and streamline the efficiency of administrative and other processes. To manage risks, ensure all devices are password-protected with encryption that renders the data uninterpretable should an authorized person gain access. It’s also a good idea to ensure that devices can be wiped remotely in the event of loss or theft.
2. Employee Misconduct
Another shockingly common source of ePHI breaches is employee misconduct, also known as an insider threat. This might happen accidentally if your employees don’t know what HIPAA requires of them. But it can also happen maliciously when employees know the law and break it anyway.
For example, a former employee of one medical group used their login credentials to access protected health information and patients’ contact information. This is incredibly common if you care for famous or high-profile patients, like celebrities, and employees want to snoop on their information.
To combat this, it’s best to conduct regular HIPAA training with your team. Create a strong culture of compliance — as well as frequent internal audits — so employees know that HIPAA compliance is serious. And always terminate access immediately for any employee who separates from the company for any reason.
3. Cyber Attacks
Countless healthcare organizations have experienced ePHI breaches as a result of cyber attacks. These attacks are concerning for several reasons, but they’re especially damaging in healthcare because they often lead to the leak of hundreds of thousands (even millions) of records — and the consequences can be costly and life threatening.
In fact, the average cost of a healthcare data breach has climbed to $10.1 million, according to IBM’s 2022 Cost of a Data Breach Report, a 9.4% increase from the 2021 report. That’s more than twice the average cost of a data breach across all industries, which also reached an all-time high of $4.35 million in 2022.
New hacking threats are on the rise, too. According to IBM’s 2022 Cost of a Data Breach Report, the most common cause of a data breach across all industries is stolen or compromised credentials, accounting for 19% of all data breaches analyzed. Phishing is the second most common cause, according to the report, accounting for 16% of data breaches across all industries.
More cyber criminals are conducting ransomware attacks where they steal an organization’s data and hold it hostage in exchange for a ransom. According to the Sophos State of Ransomware in Healthcare 2022 report, ransomware attacks in the healthcare industry nearly doubled between 2020 and 2021, from 34% to 66%. What’s more, the report found that healthcare organizations are most likely to pay ransom, with 61% of organizations paying the ransom to regain access to their encrypted data. Across other industries, 46% of organizations pay ransom, on average.
Despite their likelihood to pay ransom, healthcare organizations tend to recover less data after doing so compared to other industries, just 65% in 2021, a decrease from 68% in 2020. What’s more, just 2% of healthcare organizations that paid ransom regained 100% of their data, a decrease from 8% in 2020.
Among industries with the highest costs of recovery from a ransomware attack, healthcare ranks second, with an average cost of $1.85 million compared to an average of $1.4 million across all industries. When you factor in the cost of the ransom and the potential HIPAA fines that come with the violation, a breach can be incredibly costly. You can’t prevent all cyber attacks, but resilient IT architecture will help you reduce your organization’s risk.
4. Stale Data & Improper Data Disposal
Does your organization follow best practices for deleting PHI and ePHI after use? DataStat, a healthcare business associate, received a HIPAA violation because it unintentionally exposed ePHI through improper disposal.
Typically, healthcare organizations are legally required to retain medical records for a minimum of 7 years, although this requirement varies by state and type of healthcare provider. In the case of pediatrics, healthcare organizations may be required to retain medical records for much longer. For instance, in Nevada, providers must retain minors’ medical records until the patient reaches 23 years of age, and in North Carolina, providers must retain minors’ records until the patient reaches 30 years of age.
These lengthy data retention requirements increase vulnerability in healthcare, as stale data that lingers for decades poses a risk of compromise. That’s why it’s crucial to maintain visibility into ePHI and have internal methods for proper data disposal for records that legally can be disposed of.
5. Improper ePHI Disclosures
Does your staff talk about ePHI openly? HIPAA has strict rules governing how your staff can disclose about a patient’s ePHI. For example, one Ohio-based healthcare organization exposed over 1,000 records by improperly disclosing information via email.
Train your staff on how they’re allowed to disclose patient information. Unless patients gave written consent to share healthcare information with a specific person, it must remain confidential.
Minimize Your Risk Exposure with a Platform Built for ePHI
Nationally, healthcare organizations are sharing more and more ePHI. This might give patients a better experience, but it increases the threat surface for healthcare organizations. As demand increases for telehealth and digital workflows, there’s a pressing need for healthcare organizations to share ePHI securely.
HIPAA continues to expand its rules, so the compliance landscape is getting even rockier, and healthcare organizations need a trusted partner to manage and protect ePHI.
Tausight provides a consolidated, real-time view into both structured and unstructured PHI/ePHI and detects, tracks, and analyzes ePHI activity and risk on any endpoint device in the care continuum. For more information, visit Tausight today.