Did you know that the U.S. Department of Health and Human Services’ Office for Civil Rights has a wall of shame? Well, it’s not officially called that, it’s actually known as a breach portal.This is where entities covered by HIPAA are displayed when they experience a healthcare data breach that affects more than 500 people.
In 2018, there were quite a few companies that found themselves on the wall of shame. For starters, there was the California Department of Developmental Services. They experienced a theft incident that affected 582,174 patients. Following them was MSK Group in Tennessee which experienced an IT incident affecting 566,236 patients. And we can’t forget about UnityPoint Health in Des Moines, Iowa. Their IT incident affected 1,421,107 patients. The list goes on and on… and the number of people affected continues to rise.
The Cost of a Data Breach
As you can imagine, the effects of these breaches are devastating for patients and extremely costly for companies. Healthcare looses more money because of data breaches than any other sector! While healthcare is incredibly complex, the reasons for these issues are sometimes simple. Far too often, user experience – whether it’s the experience of the patient or the worker who has access to the data – is neglected. Researchers from Johns Hopkins University and Michigan State University recently completed a study on hospital data breaches in the United States which backs up this claim. Their findings, published in JAMA Internal Medicine, shed light on this growing porblem. Almost 1,800 large data breaches in personal health information (PHI) occurred from 2009 to 2017 and affected over 164 million patients. Even more incredible was that 33 hospitals experienced more than one major breach. But the most disturbing part of all (as if it could get any worse): More than half of the PHI that was leaked occurred not because of hackers… but because of internal issues! If there was ever an example of a human factors fail, this is it.
Speaking at a press conference about the results of the study, John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business had this to say:
“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers. This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
This analysis is interesting and human factors has more to bring to the conversation. We might remember that the user is never the root cause of these mis-steps. We must take a look at the situation holistically before we can begin making accusations. In most instances, healthcare workers are forced to live and work within a system that does not support their needs to provide safe and effective healthcare in a way that preserves patient safety and adheres to HIPAA. The root cause of the mistake is almost always much further up the chain.
It’s the People Piece that We are Missing
If you’re a healthcare provider, or an IT company working with a healthcare provider, you need to take action now to prevent something like this from happening to your company and the patients you serve. If you don’t, the consequences could be severe (yes, even if you’re a smaller company). Just this week, twelve state attorneys general filed a lawsuit against a group of IT companies as well as their subsidiaries. The suit alleges that poor business practices led to the theft of private healthcare data (including everything from social security numbers to lab results) of 3.9 million people in a 2015 data breach. This lawsuit is the first jointly filed multi-state data breach case in federal court based on the federal Health Insurance Portability and Accountability Act, and we expect that it certainly won’t be the last.
Edinburgh Napier University professor William Buchanan once blogged that the top three threats in computer security are “people, people, and people.” He was spot on. The good news, however, is that because of this, many of these data breaches are completely preventable. Healthcare just needs to understand people in order to solve the problem. Perhaps there’s a lack of training for non-technical workers or too few cybersecurity experts at the company. Or maybe cybersecurity isn’t a priority in the boardroom. Whatever the case is – with human factors experts integrated into a healthcare team, root causes for data breach incidents will be found and broken systems and disconnected processes will become a thing of the past. Human factors experts don’t just work with IT, they align the goals of every department involved so that priorities – like preventing data breaches – are met. Humans may not be error-free, but the odds of preventing disastrous outcomes can certainly be improved upon. Human factors helps people to work their best, improves the performance of the systems they use, and reduces error rates leading to safer outcomes for all involved in the healthcare system.