What are the main causes of a HIPAA breach?

Posted: Sep 02, 2014
Share This:

When a data breach occurs, it’s easy to immediately place the blame on technology and malicious hackers, yet the majority of HIPAA breaches are user-driven – not technology driven.

In a recent study the Health Information Trust Alliance (HITRUST) revealed that, largely, HIPAA breaches are a result of theft or loss of laptops and other portable media. Theft is overwhelmingly the leading cause accounting for 54% of breaches, followed by loss accounting for 12% of the total records:

  • Theft – 54%
  • Loss – 12%
  • Unauthorized access/disclosure – 11%
  • Hack – 6%
  • Incorrect mailing – 6%
  • Improper disposal – 5%
  • Error/omission – 3%
  • Malware – 2%
  • Unknown – 1%

(Source: HITRUST – A Look Back: U.S. Healthcare Data Breach Trends Report)

More and more healthcare professionals are incorporating portable devices into their daily work routine as leading organizations adopt a Bring Your Own Device (BYOD) policy. As uncovered by Jackson and Coker, laptops, tablets and mobile devices are now being used by four out of the five physicians on a regular basis. While these devices are helping to streamline data handling both in- and outside of healthcare organizations, it is more important than ever that healthcare professionals understand the risks involved when electronically handling Protected Health Information (PHI).

Accidents do happen, and in many cases it’s extra salt in the wound knowing that the theft of portable devices is more likely for the device itself rather than the sensitive data contained within. Continual risk analysis and education is crucial for reducing the risk of a data breach. Theft of devices is likely to continue as long as opportunist thieves exist, nevertheless the percentage of cases can be significantly reduced by implementing clear processes and procedures for all personnel.

Here are four recommendations for healthcare organizations:

  • Develop a BYOD policy. Set coherent rules that limit the use of personal devices and make sure your organization has an inventory of endpoint devices that contain PHI.
  • Encrypt all sensitive data. HITRUST revealed that laptops are the most commonly stolen device, followed by desktop computers, data encryption is the only reliable way to prevent a breach.
  • Limit the use of email. Email is inherently insecure, set restrictions that prohibit the downloading of attachments and exchanging of sensitive information.
  • Define your processes. At every stage of handling establish a defined process for sharing and storing personal data.

Want to find out more about how we can help you stay ‘breach-free’? Visit Scrypt (formerly Secure Care Technologies) at the upcoming HIMSS Privacy & Security Forum in Boston, September 8-9, booth #28.