The Threat From Within: Most Breaches Due to Employee Errors
A study found that more than half of information breaches at health care organizations were due to internal issues such as sending emails to the wrong recipient.
For years, industry reports have estimated that a large number of breaches occur because of internal slip ups and mishandling of records. A new study supports this hypothesis.
John (Xeufeng) Jiang, PhD, of Michigan State University in East Lansing, and Ge Bai, PhD, of Johns Hopkins Carey Business School in Washington, DC, sifted through data from 1138 breaches reported to the Office for Civil Rights (OCR) from 2009 to 2017 to identify the breach triggers. They found that 53% were due to internal issues that included sending emails to the wrong recipient, taking home devices with protected health information (PHI), and misplacing paper health records.
Under HIPAA, covered entities are supposed to be performing annual training, but gaps clearly remain, mainly in the realm of storing and communicating health information, Dr Jiang said. But providers can learn something about prevention from the study.
“If you look at what happened, you see some common themes,” he said. “And the corrective actions people took who had issues provide some lessons that are useful.”
In a research letter published recently in the JAMA Internal Medicine, Drs Jiang and Bai reported finding a handful of areas tripping up health care providers. First, a majority of the affected providers were still using paper documentation, some of which got lost in storage or during transportation or disposal. Many of these organizations planned to move to electronic documentation as detailed in their corrective action plans (required by OCR after a breach).
“They used the breach as an opportunity to upgrade their systems,” Dr Jiang said. “And if they already had information in an electronic format, some moved to a cloud-based system instead of using their own server.”
If information is being stored electronically, though, he cautions against allowing staff to keep it on mobile devices, which appear (from the breaches he and Dr Bai analyzed) to be easily lost or stolen.
A small percentage of the breaches were caused by employee theft. For instance, after being fired, a person might download patient data to take to a competitor's firm. In a handful of cases, employees had downloaded credit card or Social Security information with the intent of committing fraud.
But these types of cases account for a small minority of breaches, Dr Jiang said. Most were due to errors that could have easily been avoided, like sending letters via the postal service that have Social Security numbers visible through the envelope window or copying unauthorized individuals on emails containing PHI. “A lot were simple mistakes that cause a lot of trouble,” he said.
A common refrain among providers is a lack of funds to put toward HIPAA compliance efforts, but breaches even occur at big organizations that spend large sums on security. The answers, Dr Jiang said, are simpler than that. “As far as I can see, even if they [providers] are resource-constrained, if they use common sense and follow some simple security principles, they can eliminate some risks,” he said.
Among the solutions in the corrective action plans he and Dr Bai analyzed were the use of a 2-step verification protocol before sending out mail, with 1 person preparing it and another verifying information before sending it. Some providers implemented audits to ensure people were only accessing appropriate information in the system.
Most electronic medical record systems can be used to monitor who is accessing records, according to Chris Bennington, an attorney-consultant with INCompliance, a Columbus, Ohio-based health care consulting firm. Random records can be pulled to see who accessed them at various times. Paper audits can be more difficult, but a quick walk-through of a facility can show if records are being left out or thrown in a trash receptacle instead of being disposed of properly.
Bennington said he recommends doing audits twice a year. “And if you are going to take the time to do them, document that you did them. In the eyes of the government, if you didn't document, you didn't do it.”
Organizational training programs also should be well documented. Marc Haskelson, president and CEO of Compliancy Group, LLC, based in Greenlawn, New York, said improper training is bound to lead to HIPAA problems. A majority of breaches, he said, occur because people failed to follow their employer's policies and procedures.
HIPAA training should be tailored to an organization. A trainer can look at HIPAA violations on the OCR website to incorporate real-world examples of breaches. Issues that arose within an organization during the year also could be incorporated. Instead of always offering off-the-shelf training modules, Haskelson said, providers should understand their weaknesses (through a risk analysis) and use them as a basis for training tailored to the unique needs of their business.
Training programs also can be used to detail disciplinary actions that would be imposed on employees who make HIPAA errors. Organizations must follow through on disciplinary actions against an employee is responsible for a breach because this is among the areas OCR checks when it investigates breaches.
“Many have a [disciplinary] policy but when faced with a breach, don't want to apply sanctions in the manner laid out,” Haskelson said. “It's really important for covered entities to follow through because it sends a clear message that not only do they have policies, but they will apply them in a consistent manner.”
Breaches and their resulting sanctions should be looked at on a case-by-case basis, but there are some general rules that can guide policies, Bennington said. Sanctions should be categorized by intent and frequency. Breaches can be accidental, careless, or intentional. Sanctions can be tailored to these categories. When it comes to frequency, a practice must consider whether someone has made only 1 error or several. The kind of breach should also be considered.
“There are times when you have a violation that is so clear cut and serious there won't be a warning; it will just go right to termination because of the severity,” Bennington said. “But I don't think every instance should result in termination.”