Introduction

As a digital healthcare technology company, we have a great appreciation for the complex business challenges and requirements for stringent security measures inherent with the health care industry. Like the financial sector, health care companies deal in regulated data. As such, any leakage of this regulated data, protected health care information (PHI) in a hospital’s case, is a big deal. Over the past several years hackers have largely directed their efforts towards obtaining healthcare data more so than any other industry due to the high value healthcare data brings on the black market. Along with the increased focus on the health care industry, the frequency and sophisticated nature of attacks has increased as well.

One can expect that this trend of hackers targeting hospitals with greater specificity, frequency, and capabilities will only continue. Therefore, it is imperative that all health care professionals should be better informed and trained in order to increase the vigilance required to reduce the likelihood of nefarious or inadvertent leakage of PHI. Within this blog there are two key points we feel are not widely understood within the healthcare community that we would like to shine a light on. These two key points deal with “action” and “location”. It is important that health care professionals understand what each of these items are, and the role that they play in context of leaking PHI.

 

An Honest Path of Discovery Starting with a Poll

Recently we conducted a poll focusing on security aimed at a variety of health care professionals within hospitals all across the US. We asked the audience a very simple question: "In the past 10 years, which one of the following Health Information Breaches is the Leading Source?". We found the results to be not terribly surprising and they are listed below.

Healthcare Poll Overall Results

What became interesting was the development of an internal discussion here at access once we started researching data found within a report titled “Healthcare Data Breaches: Insights and Implications” published by National Center for Biotechnology Information.

there was data within this report that seemed point towards “paper/film” as the primary culprit behind most instances of PHI exposure. This data clearly ran contrary to the results of the poll and our own sense as to what was going on with PHI being exposed. As we dug deeper within the report, we found information that clearly supported hackers targeting EHR’s, the primary source of leaked PHI. What we discovered was a delineation between an action taken that leads to the exposure of PHI versus the location where PHI is most susceptible to being leaked.

 

Action vs. Location

Action | Data Disclosure Types

Action represents what happened that caused the disclosure of Phi. In this study there were a number of different types of actions represented. These actions range from hacking or malicious attacks, intentional insider attacks, physical damage, computer loss, and unintentional loss.

Location | Area of Breach

The location represents the area where the breach of PHI occurred. Locations range from EMR, laptops and desktop computers, personal electronic devices, paper and films, and email.

Stay Tuned

What became clear is that many people are unaware of the differences between the action taken to disclose PHI versus the locations where PHI is acceptable for exposure. In this blog we have laid out the groundwork for understanding the differences between these two elements in a broader data security story. In the next blog we will dive deeper into the numbers that reveal the true nature of what's happening with the exposure of PHI. Stay tuned!

 

 

Cody Strate

Written by Cody Strate

For more than 15 years, Cody has provided sales and marketing leadership with the goal of providing the smoothest, easiest, and most pleasurable customer experience imaginable. Cody is a Forbes Communication Council member and lives in Colorado with his wife, two kids, and two dogs.