As technology continues to advance, the world becomes increasingly connected. Advances in information and communication technology have helped the healthcare industry replace paper-based systems with electronic health records (EHRs) that provide better, more cost-effective service. EHRs offer an easy way for doctors and patients to communicate digitally, but they also benefit patients by enhancing their care through shared medical histories, improved diagnoses of disease, full access at all times, and reduced waiting room time, and it makes it easier for providers to find what they need quickly! A modern health care organization should be able to rely on its network servers to collect sensitive data from customers at any time and help facilitate patient care when needed. This makes medical records immediately available in case of an emergency or other unexpected event—no longer should patients have to wait until they are obtained by more traditional means such as faxing them over or making an appointment with someone who has physical copies of your information stored locally. But, like most things, there is a downside: this very same practice creates potential security risks such as software vulnerabilities, human error, unauthorized access, and digital interception. This blog is intended to uncover some of the primary high-risk areas where data security can be breached.


Data Breaches by the Numbers

The number of data breaches in the healthcare industry has steadily increased since 2005. According to an in-depth study by The National Center for Biotechnology Innovation (NCBI), the total number of individuals affected by all reported breaches between 2005 to 2019 was 249 million, with 157.4 million of those individuals being affected within the last five years. In 2018 alone, 2216 data breaches spanning 65 different countries occurred worldwide. Of these, 536 were within the healthcare realm. The numbers don’t lie: Healthcare cybersecurity violations continue at alarming rates around the world every day, and there’s no sign of it slowing down.

HIPAA Reported Healthcare Data Breaches

Healthcare breaches cost, on average, two times more than others. Breaches in the healthcare industry have cost companies an average of $6.45 million, which is significantly higher than other industries' average of $3.92 million, according to IBM's 2019 data breach report. These costs represent increases as well: from 2014 to 2019, the median price for lost or stolen patient information increased by 12%.

Action vs. Location

There was data within this report that seemed point towards “paper/film” as the primary culprit behind most instances of PHI exposure. This data clearly ran contrary to the results of our recent poll and our own sense as to what was going on with PHI being exposed. As we dug deeper within the report, we found information that clearly supported hackers targeting EHR’s, the primary source of leaked PHI. What we discovered was a delineation between an action taken that leads to the exposure of PHI versus the location where PHI is most susceptible to being leaked.

Healthcare Poll Overall Results

Types of Healthcare Data Breaches

HIPAA data breach reports suggest that the primary means by which PHI is exposed is through hacking incidents, internal unauthorized disclosures, theft or loss from within a company's facility, and improper disposal of records.

Type of Healthcare Data Breaches

  • From 2010 to 2019, a total of 2860 data security breaches were carried out through the aforementioned disclosure types.
  • 29.72% were due to hacking or IT incidents.
  • 29.47% were due to internal unauthorized disclosures.
  • 37.65% were due to cases of theft and loss.
  • 3.14% occurred due to the improper disposal of unnecessary but sensitive data.

The most common type of data breach is theft/loss, followed by hacking/IT incidents, and then unauthorized internal disclosure. Very few breaches are a result of improper disposal.

Hacking events have seen a significant rise. From 2010-2019, 692 out of 850 were reported over four consecutive years (2016 - 2019). This accounts for 81% percent and a shocking 32% are from just 2019 alone.

Breach Location

While the above gets to the heart of the type of activity that led to a breach, in this section we'll look at the location where the data was stored when breached. The various locations where PHI can be breached are as follows:

  • Electronic Medical Records (EMR)
  • Laptop
  • Desktop computers
  • Other portable electronic devices
  • Paper documents
  • Network server
  • Email
  • Other

Healthcare Breach Locations

Paper and film are the most susceptible to data breaches, according to the NCBI analysis. Out of the eight locations in question, Paper/Film account for 575 out of 3,253 breaches, which is 17.67% of the total. Email was at 17.52% and network servers accounted for 16.69% of data breaches.

Paper and film were found to be the easiest target for data leakage given the improper disposal of unnecessary documents that contained PHI.

Contrary to widespread belief, Electronic Medical Records (EMR) saw the fewest instances, at just 5.99% of the total incidents carried out in the same time period. Other Portable Electronic Devices made up 6.64% of the total, while desktop computers accounted for 9.40% of the total. Attacks on email and network servers showed a significant increase from 2016–2019. Out of a total of 570 email location-based data breach incidents, 457 were reported in the last four years (2016 to 2019) alone, of which 35.03% were reported in the year 2019. Similarly, out of a total of 543 network server location-based data breach incidents, 348 were reported in the last four years (2016 to 2019). Again, 22.03% of these cases were reported in 2019.

Stay Tuned

The digitization of healthcare organizations and excessive use of smart devices by customers is a significant leading factor in the occurrence of security breaches. Studies show that outdated security software, database servers with no password protection, or email accounts without any passwords are the most often cited reasons for security breaches. To make matters worse, our analysis also revealed a small decrease in paper/films on desktop computers and laptops, which were sites where many data leaks occurred over the last four years

The number one reason there have been so many such violations lately has everything to do with how much we rely on technology--and not just in hospitals. Outdated cybersecurity technologies combined with an increased reliance upon mobile phone usage among patients can lead all too easily to major breaches of PHI. However, our historical reliance on paper has produced the easiest avenue for nefarious actors to gain access to PHI. As we progress towards a fully digital healthcare landscape, the impact of paper has lessened, but it still poses a significant threat that hospitals should be aware of. While digitization is the clear answer to solving paper-based PHI exposure, it is clear that digitization has its own inherent risks. Given that healthcare data is a prize among hackers, we can expect their efforts, capabilities, and sophistication to increase over time.



Cody Strate

Written by Cody Strate

For more than 15 years, Cody has provided sales and marketing leadership with the goal of providing the smoothest, easiest, and most pleasurable customer experience imaginable. Cody is a Forbes Communication Council member and lives in Colorado with his wife, two kids, and two dogs.