- It seems as if every week there is a new top data security issue for healthcare organizations to remain vigilant on. If nothing else, it further underlines why a well-rounded approach to data security is essential, and covered entities must ensure their administrative, technical, and physical safeguards are all current.
A recent report from a law firm shows why employee training and education programs are critical for all industries, including healthcare. Human error was the number one cause of data security issues, according to Baker Hostetler. The firm reviewed cases it had worked on in the last year that related to privacy and data protection, and found that employee negligence was responsible for 37 percent of reported issues.
Theft was the second most common reason for data security issues, with 22 percent of cases caused by outsider theft and 16 percent by insider theft. Fourteen percent of reported issues were due to malware incidents and phishing scams accounted for 11 percent.
The report’s authors stated that these findings prove that organizations cannot rely solely on technology to eradicate data security risks.
“Sure, encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers. Companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right “tone from the top” and appropriate information security policies and procedures.”
The report also found that while no industry is immune to data security risks, some are more frequently attacked than others. Education, financial services, real estate, retail/hospitality, professional services, and healthcare were all affected by data security incidents last year, according to Baker Hostetler. However, healthcare breaches are the most frequently reported incidents, likely due to federal data breach notification requirements.
BakerHostetler Privacy and Data Protection team Co-chair Theodore Kobus explained in a statement that facilities must understand that data security is not just relegated to retailers, hospitals, and financial firms.
“Incidents do not only occur at businesses that have payment card data or protected health information,” Kobus said. “Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.”
Another important finding in the report was that electronic records are not the only ones that are at risk. Of the data security incidents Baker Hostetler handled in 2014, 21 percent involved paper records. Regardless of the data’s form, 58 percent of reported incidents were subject to state data breach notification laws.
In healthcare specifically, of the more than 80 HHS OCR investigations, just one resulted in a resolution agreement, according to the report. Moreover, after the report of a breach, regulators were most likely to ask for copies of policies and procedures governing privacy and security and evidence of education and awareness programs, including attendance logs. Risk assessments, risk mitigation plans, business associate agreements, and copies of disaster recovery plans were also commonly requested.
Other key report findings include:
- Attorneys General were notified in 59 cases, resulting in inquiries 31 percent of the time
- In the 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals
- Credit monitoring was offered in 67 percent of the incidents