- Despite privacy protections like HIPAA and the HITECH Act, security breaches continue to plague the healthcare industry, and the problem is only getting worse, a research letter in JAMA shows.
- The authors looked at breaches posted to the HHS Office For Civil Rights breach database from Jan. 1, 2010, to Dec. 31, 2017. A total of 2,149 breaches occurred, impacting 176.4 million records.
- Healthcare providers were the targets in 70% of all breaches, putting 37.1 million records at risk. However, health plans, with just 13% of the breaches, accounted for the lion's share of compromised records at 110.4 million.
During the review period, the number of breach reports increased every year except 2015.
The analysis also shows that while more breaches involved paper and film than electronic records, the impact was far less. A total of 510 breaches involved paper or film, compromising 3.4 million records. By contrast, the 410 breaches of EHRs affected 139.9 million records, the authors say.
Prime locations of breaches shifted from laptop, paper and film in 2010 to network servers in 2017. "These shifts were paralleled by increases in hacking or information technology (IT) incidents and unauthorized access, which both surpassed thefts by 2016," the authors write.
"Although networked digital health records have the potential to improve clinical care and facilitate learning health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved," they added.
Research has shown that insiders pose one of the biggest threats to health information security. In a Verizon analysis of security incidents in 2016 and 2017, 58% of breaches were triggered by people working in the organization, compared with 42% that were caused by outside actors. And while concerning, it's not a total surprise. A 2017 study found widespread sharing of EHR passwords among doctors and clinical support staff, puts patients' information at risk.
Part of the problem is that healthcare organizations aren't following ONC guidelines to protect electronic records. A recent survey by researchers at the University of Texas Health Science Center at Houston found health systems have fully implemented just 18% of ONC's recommendations.
This year alone has seen more than 200 breaches at healthcare organizations, including 10 affecting more than 100,000 patients each.
To increase compliance, systems must prioritize and fund these initiatives, make internal policy changes regarding security and get vendors involved, the UT researchers said.