Did you know that the U.S. Department of Health and Human Services’ Office for Civil Rights has a wall of shame? Well, it’s not officially called that, of course. It’s actually known as a breach portal. This is where entities that are covered by HIPAA must go when they experience a healthcare data breach that affects more than 500 people. In 2018, there were quite a few entities that earned a place on the wall of shame. For starters, there was the California Department of Developmental Services. They experienced a theft incident that affected 582,174 patients. Following them was MSK Group in Tennessee which experienced an IT incident affecting 566,236 patients. And we can’t forget about UnityPoint Health in Des Moines, Iowa. Their IT incident affected 1,421,107 patients. The list goes on and on… and the number of people affected continues to rise.
As you can imagine, the effects of these breaches are devastating for patients and extremely costly for companies. Healthcare loses more money because of data breaches than any other sector! While healthcare is incredibly complex, the reasons for these issues are sometimes simple. Far too often, user experience – whether it’s the experience of the patient or the worker who has access to the data – is neglected. Researchers from Johns Hopkins University and Michigan State University recently completed a study on hospital data breaches in the United States which backs up this claim. Their findings, published in JAMA Internal Medicine, were astounding. Almost 1,800 large data breaches in personal health information (PHI) occurred from 2009 to 2017 and affected over 164 million patients. Even more incredible was that 33 hospitals experienced more than one major breach. But the most disturbing part of all (as if it could get any worse): More than half of the PHI that was leaked occurred not because of hackers… but because of internal issues! If there was ever an example of a human factors fail, this is it.
Speaking at a press conference about the results of the study, John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business had this to say: “One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers. This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
Although we agree with most of what Jiang said, we have to point out that while healthcare workers are responsible for mis-steps, it’s truly not their fault. In most instances, healthcare workers are forced to live and work within a system that does not support their needs to provide safe and effective healthcare in a way the preserves patient safety and adheres to HIPAA. The root cause of the mistake is almost always much further up the chain.
If you’re a healthcare provider or an IT company working with a healthcare provider, you need to take action now to prevent something like this from happening to your company and the patients you serve. If you don’t, the consequences could be severe (yes, even if you’re a smaller company). Just this week, twelve state attorneys general filed a lawsuit against a group of IT companies as well as their subsidiaries. The suit alleges that poor business practices led to the theft of private healthcare data (including everything from social security numbers to lab results) of 3.9 million people in a 2015 data breach. This lawsuit is the first jointly filed multi-state data breach case in federal court based on the federal Health Insurance Portability and Accountability Act, and we expect that it certainly won’t be the last.
Edinburgh Napier University professor William Buchanan once blogged that the top three threats in computer security are “people, people, and people.” He was spot on. The good news, however, is that because of this, many of these data breaches are completely preventable. Healthcare just needs to understand people in order to solve the problem. Perhaps there’s a lack of training for non-technical workers or too few cybersecurity experts at the company. Or maybe cybersecurity isn’t a priority in the boardroom. Whatever the case is – with human factors experts integrated into a healthcare team, root causes for data breach incidents will be found and broken systems and disconnected processes will become a thing of the past. Human factors experts don’t just work with IT. They align the goals of every department involved so that priorities – like preventing data breaches – are met. Humans may not be error-free, but the odds of preventing disastrous outcomes can certainly be improved upon. Human factors helps people to work their best, improves the performance of the systems they use, and reduces error rates leading to safer outcomes for all involved in the healthcare system.
Let us help your hospital or clinic succeed.
If you’ve read through our website, then you’re aware that we discuss human factors in healthcare quite frequently. In fact, one of our goals for 2019 is to do as much as we can to improve healthcare in the US. Yes, there is so much to fix. But let’s start with mistakes that we know can be avoided, like data breaches that are caused by internal issues. Let us help your company stay off the wall of shame. Contact us today!