2015 was an explosive year for breaches of protected health information – more than 113 million records were exposed.
One in three Americans received a warning notice that their private data was at risk. These letters were most likely from Anthem (80 million records breached), Premera Blue Cross (11 million) or Excellus (10 million) insurance companies.
That’s a stunning set of incursions, the result of advanced, persistent cyberattacks on IT systems. As individuals, we all have good reason to be alarmed by lax cyber security practices at such companies.
But headlines make it easy for healthcare professionals, especially those in small to mid-sized practices, to draw the wrong lessons, and gird themselves for the wrong battles. Massive breaches at insurance companies obscure the true threats to provider practices, leaving them insufficiently prepared for their actual critical risks. When providers take their guidance from industrial-grade breaches, they ignore the much larger threats their practices face. So let’s break down the numbers from 2015 and tease the correct lessons from what actually occurred.
First, strip away the breaches at health plans like Blue Cross or Anthem. They dominate the news disproportionately, compared to the number of actual incidents. While insurance companies are responsible for more than 90% of patient records revealed last year, their share of breach incidents is far lower. Of the 268 breach incidents reported to Department of Health and Human Services in 2015, the vast majority occurred at providers (73%) or their business associates (4%). And I’d have to guess that you, reading this, are more likely to be concerned about a provider’s vulnerabilities, rather than that of Blue Cross or Anthem.
What do the actual incidents at provider practices teach us?
While network security guarding against external cyberattacks is still (of course!) a vital concern, the vast majority of incidents at providers have far more human causes, most from within the practice itself!
Let’s quickly review the other categories of breaches. Improper Disposal is self-explanatory … think unlocked dumpsters with paper records blowing out (yes, this happens far more often than one might think). Loss or Theft is most likely in the form of equipment: unencrypted desktop computers, laptops, portable drives or other mobile devices. Unauthorized Disclosure or Access covers everything from accidentally posting data on a website, mailing records by mistake, downloading malware that exposes patient data, or sharing inappropriately through gossip or even loud voices.
So four of every five provider breach incidents have nothing to do with network hacking. Their common cause is that they are mistakes rooted in human behavior. Even loss or theft of unencrypted equipment isn’t a no-fault circumstance. If a device is encrypted according to AES standards, even if lost or stolen, the data is considered protected or inaccessible by HIPAA and no breach occurred. Encryption is a requirement of HIPAA, and if not employed, opens the practice to charges of “willful neglect” and greater penalties.
Were 2015’s statistics exceptional? Not in this regard: an initial review of 2016 shows precisely the same share of breaches NOT caused by IT Hacking. Five out of six breaches in January and February could have been prevented by staff better fulfilling their roles as guardians of patient privacy.
What’s the answer? It is the most basic requirement of HIPAA: Training, testing and more training. The law prescribes job appropriate schooling for every employee on his or her responsibilities to safeguard patient information. That’s everyone, including janitorial staff. Unfortunately, “training” is too often interpreted as pro-forma web or video-based presentations — fine for checking off the box on a compliance punch-list but wholly inadequate to offering real protection. While packaged presentations are great for sharing basic information, they do little or nothing for the situational awareness that today’s threat environment demands of all players.
Think of how we learn to drive. Books, study guides and lectures are fine for learning rules of the road, but are no substitute for experience behind the wheel. Or consider how we deal with fire safety at schools. Parents expect students to have regular fire drills, practical exercises in proper procedure. We should expect no less regarding information safety.
Training should engage employees’ awareness through case studies of actual breaches at practices just like theirs. Training programs should include tabletop exercises with staff members in which they are presented choices, some that have led others into breaching privacy. Decisions should be discussed, new lines of communication established and a sense of individual responsibility fostered.
At Cyber Risk Associates, our approach is based on best practices of teaching and learning, and relies on techniques adapted from the Department of Homeland Security’s community cybersecurity preparedness exercises. While there are certainly other ways to support patient privacy, the ones that ignore the non-IT causes and don’t address “securing the human” along with securing the data are guaranteed to fail.