黑料吃瓜群网

While data security has聽been a hot topic in recent months, particularly in light of hacking attempts on hospital and healthcare facilities, a new study has found that when it comes to聽health data breaches, hospitals, doctors鈥� offices and even insurance companies are often the culprits.

New research from and found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers 鈥� not because of hackers or external parties.

鈥淭here鈥檚 no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors but rather by internal negligence,鈥� said聽John (Xuefeng) Jiang, lead author and associate Professor of Accounting and Information Systems at MSU鈥檚 Eli Broad College of Business.

The research, published in , follows the聽joint 2017 study聽that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.

For this paper, Jiang and co-author聽Ge Bai, Associate Professor at the John鈥檚 Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1150 cases between October 2009 and December 2017 that affected more than 164 million patients.

鈥淓very time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,鈥� Jiang, the Plante Moran Faculty Fellow, said. 鈥淭hese causes fell into six categories: theft, unauthorised access, hacking or an IT incident, loss, improper disposal or 鈥榦ther鈥�.鈥�

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53% were the result of internal factors in healthcare entities.

鈥淥ne-quarter of all the cases were caused by unauthorised access or disclosure 鈥� more than twice the amount that were caused by external hackers,鈥� Jiang said. 鈥淭his could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorisation, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.鈥�

While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients鈥� personal data.

鈥満诹铣怨先和鴖, doctors鈥� offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,鈥� Jiang said.

Of the external breaches, theft accounted for 33% with hacking credited for just 12%.

While some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren鈥檛 aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem.

While tight software and hardware security can protect from theft and hackers, Jiang and Bai suggest healthcare providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a 鈥渃opy vs blind copy鈥� protocol (bcc vs cc) as well as encryption of content.

鈥淣ot putting on the whole armour opened healthcare entities to enemies鈥� attacks,鈥� Bai said. 鈥淭he good news is that the armour is not hard to put on if simple protocols are followed.鈥�

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.

Image credit: 漏stock.adobe.com/au/Mila Gligoric