Mitigating and avoiding accidental breaches in healthcare

Imagine a rushed or tired employee who clicks on an unknown, harmful link or accidentally shares sensitive information with the wrong person and/or through an unsecured channel. At least 85% of data breaches are attributed to an individual’s mistakes. A simple error can open a cyber door to hackers to access private data, launch malware, or even take control of an entire network.

Accidental HIPAA breaches can have serious consequences for healthcare organizations, patients, and their protected health information (PHI). Given that such threats exist today and occur frequently, healthcare organizations need to understand more about accidental breaches and how to avoid the threat and/or the aftermath in case they do occur.

See also: HIPAA compliant email: The definitive guide

Cybersecurity threats to healthcare

HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. 

Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.

Accidental breaches in healthcare

Human factors impact cybersecurity given the connected relationship between human error and systemic institutional weaknesses. An accidental breach, sometimes called an unintentional insider threat, can occur when an employee, through action or inaction but without malicious intent, causes harm in some way to a healthcare organization’s system or network. They occur through honest mistakes.

Human error accounts for a substantial portion of HIPAA healthcare breaches. It could be an admin, nurse, doctor, or staff member who unknowingly engages in behaviors that compromise security. That person might lack awareness about cybersecurity, be too tired to follow guidelines properly, or fail to recognize potential dangers (e.g., a phishing email). These individuals typically go about their daily tasks and may lack awareness of cybersecurity practices or fail to recognize a potential danger in time to prevent it from occurring.

Common examples of accidental breaches

There are numerous examples of accidental breaches that can occur daily, either through employee accidents or hacking/IT incidents after an employee mishap. They often result from employees not paying attention to what they are doing who inadvertently release private information through:

• Autofill errors
• Emailing the wrong recipient
• Not using data encryption
• Leaving a laptop in a public place
• Overlooking cybersecurity guidelines
• Using weak passwords

An accidental breach could also occur if an employee falls victim to hacking or a cyberattack by clicking on a bad link or attachment or falling for a phishing scheme (e.g., sending personally identifiable information (PII) to someone they don’t know). Some attacks are targeted (i.e., spear phishing) while others are sent en masse (i.e., spam). Cybercriminals regularly tempt victims through social engineering techniques that utilize malware, viruses, adware, spyware, or ransomware.

Social engineering plays with people’s emotions and instincts so that they will take actions not in their best interests. Such methods of attack employ coercion and manipulation and do not have to be sophisticated. Because healthcare employees often juggle multiple tasks and might not be fully trained in cybersecurity, they can easily make both types of mistakes.

Reasons for accidental breaches in healthcare

Healthcare organizations are vulnerable to accidental breaches, whether due to employee errors and/or cyberattacks, even more so than most other industries. The top 5 reasons for this are:

1. The wealth and cost of valuable PHI data
2. Healthcare organizations are more likely to pay
3. Providers have excessive and more vulnerable attack surfaces
4. Staff tend to be untrained and tired
5. Healthcare businesses tend to be lax in cybersecurity

These incidents reflect human weakness rather than malice, and organizations bear responsibility for failing to implement safeguards against such issues. The significance of PHI, along with the unfortunate use of legacy devices and notoriously overworked employees, sets up the healthcare industry as a prime target for cybercrime.

Real-world example: Ascension Health

Ascension Health is one of the largest nonprofit health systems in the United States. In May 2024, cybercriminals employed social engineering tactics to deceive an employee into downloading malware. The employee downloaded a corrupt file, and the accidental data breach led to a significant ransomware attack.

The breach disrupted operations across Ascension Health's 140 hospitals in 19 states, forcing some facilities to divert care and put patient safety at risk. Critical systems, including electronic health records (EHRs), phones, and medication systems, were pulled offline. Employees ended up tracking procedures and medications manually, pausing noncritical procedures, and sending emergencies elsewhere.

The company engaged Mandiant, a third-party expert, to aid in the investigation, which has so far revealed that PHI, including the EHRs, was exfiltrated during the attack. What Ascension Health calls an “honest mistake” affected 13.4 million customers.

Consequences of accidental breaches

The impact of accidental breaches on the healthcare industry can be devastating, from loss of data to loss of patients. The damage can go beyond monetary costs (e.g., loss from a ransom or cyberattack recovery), with other costs including:

• Loss of confidence from patients and stakeholders
• Compromised healthcare data
• The possibility of not getting access to encrypted or exfiltrated data
• Patients being hit by identity theft or blackmail themselves
• Disruption of services
• Repeated attacks after being considered an easy target by hackers

The aftermath: Mitigating an accidental breach

The reality is that an accidental breach can occur; if it does, healthcare organizations must know what to do to mitigate the situation. Healthcare providers need to continuously monitor their systems after a breach for any anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.

Healthcare organizations can begin to reduce the impact of accidents by updating and then implementing more rigorous security measures. Organizations must also employ measures to halt potential harm, such as retrieving sensitive information from the affected system and providing emergency training to staff. They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. 

After detection and investigation, organizations must also follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again.

Proper mitigation after a breach can keep more patient data from being exposed and protect a healthcare organization from committing a HIPAA violation.

Avoiding accidental breaches in healthcare with HIPAA compliance

HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid accidental breaches include:

1. Establishing up-to-date policies and procedures
2. Using business associate agreements (BAAs) when working with third parties
3. Implementing a program to identify cyber vulnerabilities
4. Using continuous employee awareness training
5. Ensuring proper technological safeguards, such as data encryption
6. Utilizing strong access controls
7. Maintaining all systems and software with the latest security patches and updates
8. Keeping communication channels secure
9. Creating data backup and disaster recovery plans in case of an incident
10. Regularly auditing and monitoring systems
11. Having an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.

The critical role of employee awareness training

A culture of security is one in which all employees actively participate in cybersecurity. When organizations infuse cybersecurity awareness into their staff, they ensure stronger and better protection. All employees, contractors, volunteers, and any personnel who have access to PHI must complete HIPAA training.

HIPAA training encourages a strong bond and should be focused on HIPAA requirements, cybersecurity, and avoiding social engineering/phishing schemes. Training should cover technical best practices like encryption, authentication procedures, incident reporting protocols, and contingency operations. Effective cybersecurity training happens regularly and is consistently evaluated and updated.

Feedback and reevaluation are not afterthoughts but necessities and always accompany other cyber initiatives rather than acting on their own. The best cybersecurity strategy is not foolproof without proper employee awareness training. At the same time, training is not enough on its own.

Think about: How to build and sustain a culture of security

FAQs

What is cybersecurity, and how does it relate to healthcare security?

Cybersecurity involves protecting computer systems, networks, and data from digital attacks, unauthorized access, and damage. In healthcare, it is necessary to safeguard PHI and ePHI. Effective measures help keep sensitive patient data confidential, secure, and compliant with HIPAA regulations.

What human factors contribute to email security risks in healthcare?

Human factors include inadvertent errors such as misaddressed emails, falling for phishing scams, and failure to follow security protocols.

What should I do if I accidentally send an email containing PHI to the wrong recipient?

If you accidentally send PHI to the wrong recipient, immediately notify your organization’s HIPAA compliance officer or IT security team. They can assess the situation, determine the potential risk, and take appropriate steps to mitigate harm.

Does HIPAA apply to phishing attacks in healthcare?

Yes, phishing attacks in healthcare fall under HIPAA regulations. Phishing attacks compromising the privacy and security of PHI can lead to severe penalties, including fines and reputational damage.