Insiders: the Most Frequent Reason for HIPAA Data Breach
written by Simon
Ponemon Institute and IBM reported that the average total cost of a data breach is $4M in their study, “2016 Cost of Data Breach Study: Global Analysis,” which researched 383 companies in 12 countries, including the U.S. However, the average total cost of a health data breach could be more than that because the study said that a stolen healthcare record costs the average business $355, which is more than the twice the mean cost of $158 across all industries.
A small data breach could cause huge operational, financial and reputational damage to a healthcare organization. When a data breach occurs, the healthcare organization must have a long intensive audit by the Office for Civil Rights (OCR) and spend a lot of time and money on the resolution process to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. The OCR will release information about the accident in the media, likely damaging the organization’s reputation. Expensive lawsuits from affected individuals can then follow.
Meanwhile, according to the Breach Barometer Report: 2016 Year in Review by Protenus, 192 out of 450 healthcare data breach accidents of 2016, which they surveyed, were caused by insiders. This means that data taken by an insider is the most frequent reason (43%) while hacking accounts for 26.8% and data simply lost/stolen accounts for 19% of all breaches. Of the 192 accidents in the report, 99 were a result of an insider-error or accident, while 91 were a result of wrongdoing. (Two could not be classified as error or wrongdoing due to lack of information.)
Protenus’s report also mentioned that it took an average of 233 days for a healthcare organization to discover they had a health data breach, however, the time to discover in cases of insider wrongdoing was more than double that – 607 days. It indicated that the main reason for taking that long is lack of money and a dedicated professional to monitor data, but another important reason is that organizations basically have taken a reactive approach to privacy monitoring: they worry about breaches to patient data only after they are brought to their attention by the affected party, allowing for inappropriate access to patient data to go unnoticed for extended periods of time, if it is detected at all. The organizations may also be informed about breaches by outside sources like the media.
Secudrive could be a good alternative for healthcare organizations to take a proactive approach to prevent data breach by insiders. Specifically, it provides an easy and cost effective way even for small and medium organizations to prevent intentional breaches by malicious insiders as well as breaches caused by error by inadvertent insiders.
Blogs relating to HIPAA
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Costs of Data Breaches and Violation against HIPAA
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)
The Three Safeguards of the HIPAA Security Rule Summarized