Research consistently shows healthcare is one of the worst sectors at stopping data breaches caused by insiders. New data published in JAMA Network Open reveals sending email warnings to employees after unauthorized access prevented a repeat occurrence in 95% of cases.
The research was conducted by Michigan State University Professor and Plante Moran Faculty Fellow John Xuefeng Jiang, PhD; Protenus CEO Nick Culbertson; and Ge Bai, PhD, a professor at Johns Hopkins.
While ransomware, phishing and other malware-related incidents receive the majority of media attention when it comes to healthcare data breaches, insiders are the driving cause of more than half of protected health information breaches. Verizon’s annual report consistently finds insider security threats are a bigger risk than hacking in healthcare.
These violations pose a risk to compliance with The Health Insurance Portability and Accountability Act (HIPAA) and related reputational and regulatory harms.
The JAMA report confirms about 25% of PHI breaches are caused by employees’ unauthorized access, meaning the employee lacked authorization, permission or authority to access the data. Considering these factors, the researchers conducted its trial in a large academic medical center in hopes of assessing the impact of email warnings to reduce repeat offenses.
Between Jan. 1 and July 31, 2018, the PHI access monitoring system of a large academic medical center flagged unauthorized access to patients’ electronic medical records from 444 medical staff members who weren’t part of the patients’ intervention team and didn’t have permission to access the records.
Researchers randomly selected 49% (219 employees) to receive an email warning the employee that they were identified as accessing a patient’s health record without a work-related purpose, a privacy violation.
The remaining 225 employees received no email warnings to be used as the control.
The results were decisive: just four of the 219 employees who received the warning email repeated the unauthorized access during the research period, while 90 of the 225 employees (40%) in the control group repeated the offense. Overall, the control group saw 326 repeated violations, 88 (27%) of which occurred just 10 days after the initial access.
In total, the data found email warnings were 95% effective in reducing repeat offense.
The trial confirms that “when left unchecked, hospital employees repeatedly committed unauthorized access to PHI, creating substantial financial, reputational, and clinical risks for the patient and the organization.”
“The academic medical center prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization,” the researchers wrote. “To preserve the trial’s validity, no disciplinary action was taken during the trial period.”
However, the medical center took disciplinary actions against “all identified offenders,” as required by the provider’s access policy. The medical center is continuing to leverage email warnings as a critical access control measure.
Although the study results might not be generalizable in other settings, the researchers purport that adopting simple email warnings in tandem with a PHI access control systems can substantially reduce the risk of unauthorized access, benefiting both patient privacy and the entity. In short, “ avoiding repeated access is a critical measure for risk mitigation.”