In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. If the breach reported to HHS involved more than 500 individuals, it is published for the world to see on an HHS website, colloquially referred to as the “wall of shame.”
In existence since 2009, the wall provides a brief summary of data breaches, including the name of the covered entity, covered entity type (i.e., provider or business associate), number of individuals affected, type of breach and location of the breach (e.g., server, email, electronic medical record). Congress mandated that the public have access to breach information, but questions have arisen regarding the value of the site, how the data is presented and how long the data should be available to the public.
Specifically, the persistence of the information available on the site has caused angst and criticism. After all, if a provider reported a data breach in 2011 but has since implemented corrective actions and remediated and mitigated the issue, does it serve any purpose to continue to remind the public of what happened so many years ago? These critiques led to some minor changes in 2017, but no dramatic overhaul. The primary changes were:
Despite the debate on the wall of shame, the available data has proved valuable to researchers. Academic researchers have published papers based on statistical analysis of the site’s data. In fact, a recent paper in JAMA Internal Medicine examined the causes of breaches based on 1,138 breaches reported on the wall of shame between Oct. 21, 2009, and Dec. 31, 2017, affecting 164 million patients.
According to the JAMA paper, the researchers used the detailed event descriptions provided on the site to sort the reported breach types into five categories, and then differentiated whether the breaches were caused by internal or external factors. Internal breaches were defined as caused by the healthcare entities’ own mistakes or neglect. External causes were all other causes, including where the perpetrators were not identified.
Perhaps not surprisingly, the researchers found that theft of protected health information (PHI) by outsiders was the cause of a significant portion of the 1,138 breaches analyzed. There were 370 breaches (or 32.5 percent) that were caused by outside thefts. The next-largest category was mailing mistakes (either via email or physical mail). These incidents accounted for 119 of the reported breaches (10.5 percent). Overall, however, the data analysis concluded that more than half of the breaches (53 percent) could be attributed to internal mistakes or neglect (as opposed to outside causes). These internal issues, in addition to mailing and emailing mistakes, included employees clicking on phishing emails, forwarding PHI to personal accounts and accessing PHI without authorization.
So, what does this analysis tell us? Although the public and the media tend to focus on data breaches caused by anonymous hackers or state-sponsored attacks from Russia, China or North Korea, the wall of shame data points to a different story. Instead of wringing their hands over outside attackers using sophisticated technical methods to bypass security systems, healthcare providers may want to more closely consider their own houses and what their own employees may be doing (or not doing). Many of the internal mistakes leading to breaches could potentially be addressed via additional/better employee training, test phishing campaigns and software controls identifying PHI being sent via email.
While additional employee training and more effective system controls and monitoring will not stop all employee mistakes, such steps could go a long way toward reducing the number of breaches. Otherwise, it may not be the anonymous attacker in some foreign country that causes the next big PHI breach – it could instead be the well-meaning employee in the office down the hall.