Since 2010, healthcare has seen a 125% increase in criminal attacks to their digital patient data. In fact, according to a study by the Ponemon Institute, 91 percent of healthcare organizations have been hit by at least one data breach. What is surprising, however, is that human error is reported as the primary cause of data breaches. The study found that almost all successful cyber attacks can be traced back to one or more human errors.
Attacks Now Leverage Security Gaps Created by Users
Cyber-criminals are well aware of the human error factor as a potential gateway into the systems they are targeting. Therefore, email is still a primary method of gaining access and phishing. Many systems continue to rely on detection as a form of prevention, and hackers are taking full advantage of their ability to avoid getting picked up by these systems with emails that are unique enough to get around this surveillance and engaging enough to attract a recipient to open them. Attackers are also leveraging social networks to gain access through similar tactics.
Health IT Data Security Awareness Campaigns Can Reduce the Risk
Ransomware attacks are expected to continue growing in volume and diversifying in form in the coming years. While Chief Information Security Officers and Chief Medical Information Officers are working diligently to implement advanced systems and infrastructures to increase their Health IT security, awareness campaigns for staff may represent a cost-effective means of increasing data security for Covered Entities and Business Associates. A few potential areas to highlight in an awareness campaign for health IT data security are:
- Risks associated with accessing work documents from a non-HIPAA compliant or personal of email account
- Risks of accessing work documents or web based systems from public Wi-Fi connections
- Proper protocol for handling email from unknown senders
- Handling of links and attachments in emails
With a well-implemented awareness campaign and organizational dedication to data governance, the work health IT and software development teams are putting into securing patient data will lead to reduced risk of breach and improved protection of the organization’s ePHI.