Data breaches at health-care entities mostly expose identifying and financial information, not sensitive medical information.
Photo: iStockphotoHere’s a common nightmare scenario: The computer system at your doctor’s office is hacked, and somebody has all your medical records.
What if the hacker uses your medical history to blackmail you or to embarrass you publicly? What if the public exposure of your records affects your job prospects?
The good news is that you probably shouldn’t worry about your medical records. But you should be worried that the hacker has your Social Security number or financial information that was stored in the physician’s office computer.
Among nearly 1,500 data breaches at health-care entities in the U.S. from 2009 to 2019, affecting 169 million patients, our research reveals that only 22 involved the breach of sensitive medical information—such as records of HIV tests, sexually transmitted diseases, cancer, mental health, abortions and substance abuse. Two million people were affected by those 22 breaches.
The disclosure of nonmedical information that could be exploited for identity theft or financial fraud—such as driver’s license numbers, Social Security numbers and bank-account or credit-card numbers—was much more common. There were 1,042 breaches of this type of information at health-care entities, affecting 159 million individuals. This suggests that hackers and thieves for the most part intentionally targeted sensitive identifying and financial information, and the medical records became collateral damage.
Another study of ours, however, shows that many breaches like these are easily preventable.
In that study, we found that insiders were responsible for more than half of the breaches at health-care organizations—and most of those breaches were accidental. If health-care providers had stronger internal controls in place and their employees followed the right protocols, many breaches could have been avoided.
Mistakes abound
We examined detailed descriptions of more than 1,100 health-care data breaches that affected 164 million patients. Health-care organizations are required to notify an office of the Department of Health and Human Services of breaches affecting 500 or more people, and to classify those breaches in prescribed categories.
Unauthorized access or disclosure of patient health information, a category that covers a broad range of sloppy behavior by employees, accounted for 25% of all breaches in the study. Employee mailing mistakes—sending sensitive letters to the wrong recipients, printing Social Security numbers on mailing labels or making confidential information like HIV status visible through envelope windows—were the most common problem in this category, accounting for 10.5% of all breaches of any kind. Among other subcategories, employees taking health information home or forwarding it to personal accounts or devices represented 6.5% of all breaches, while emailing errors, such as sending emails to the wrong recipients, represented 2.8% of all breaches.
Internal mistakes also played a prominent role in some other categories of breaches. For example, unencrypted devices or paper records lost or misplaced by health-care entities accounted for 7.2% of all breaches, and improper disposal of devices or paper records was responsible for an additional 3%.
Even in the category labeled hacking or IT incident, which accounted for 20.5% of all breaches, accidental exposure of personal health information through the internet was responsible for 5.4% of all breaches of any kind—more than malware or viruses at 5.3%. Also within this category, employees clicking on phishing emails were the cause of 3.4% of all breaches.
Making it better
Clearly, some basic training for employees about mail and email practices and cybersecurity would be helpful. But mistakes will still be made. So, before mailing patient information, health-care entities should double-check the accuracy of mailing labels and make sure the labels or envelope windows don’t reveal confidential information. When communicating with patients through emails, they should check to be sure the recipient is correct and no one is improperly cc’d.
Beyond that, reducing the storage of patient information in mobile devices, such as laptop computers or USB drives, could significantly reduce the risk of a data breach. Nearly half of the breached data in our study was stored in mobile devices. And sensitive information should always be encrypted.
Finally, health-care entities should also consider storing patients’ identifying and financial information separately from their medical records, to avoid the loss of medical records as collateral damage in breaches aimed at obtaining data to be used for identity theft or financial fraud.
Dr. Bai is an associate professor of accounting at the Johns Hopkins Carey Business School and associate professor of health policy and management at the Johns Hopkins Bloomberg School of Public Health. Dr. Jiang is a professor of accounting and information systems and the Plante Moran Faculty Fellow at the Eli Broad College of Business of Michigan State University. They can be reached at reports@wsj.com.
Share Your Thoughts
How worried are you about your health-care data being compromised? Join the conversation below.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
"how" - Google News
June 22, 2020 at 07:31AM
https://ift.tt/2V7pwqr
How to Prevent Medical Records From Being Hacked - Wall Street Journal
"how" - Google News
https://ift.tt/2MfXd3I
Bagikan Berita Ini
0 Response to "How to Prevent Medical Records From Being Hacked - Wall Street Journal"
Post a Comment