Hospitals must prevent HIPAA violations using an advanced cybersecurity framework, staff training, and behavioral policies.
More specifically, healthcare must move forward with innovative security features, policy modifications, and new training programs for the emerging threats that still surround patients’ protected health information (PHI).
Read also: Preventing HIPAA violations
EMR systems and the risk of hacking
Most hospitals and other healthcare-oriented establishments have invested in electronic medical records (EMR) systems for increased efficiency, better patient outcomes, and greater compliance with healthcare regulations like HIPAA.
Yet, these digital systems also increase healthcare organizations’ vulnerability to hacking and cyberattacks, as evidenced in hospital characteristics associated with HIPAA breaches.
More specifically, the study notes that hospitals moving towards achieving the highest status of EMR implementation (stage 7) are less likely to experience breaches like unauthorized access or improper disposal of data but “they were more likely to be hacked."
Smaller hospitals are more vulnerable to hacking
Ordinarily, micro-hospitals have less than 100 beds and are more vulnerable to this cyberattack compared to larger hospitals. As the report shows, “hacking was shown to be the breach type, which placed smaller hospitals into the most vulnerable position."
There are several reasons for this vulnerability since smaller-sized hospitals usually have less money and technology to invest in advanced cybersecurity measures. Their IT setup is usually not as robust, which makes them more prone to data breaches. Secondly, there is a possibility that smaller-scale hospitals do not have an adequate number of employees that can monitor and counter malicious cyber threats in real-time.
However, “smaller hospitals were less apt to experience breaches associated with improper disposal" of patient data. So, while micro-hospitals are highly susceptible to cyber threats, they handle the physical aspects of managing fewer data points well.
System hospitals have a higher risk of improper PHI disposal
System hospitals that are part of a larger system of health care providers were shown to be at greater risk for breaches associated with improper disposal", while at the same time being at lower risk for hacking.
On one hand, system hospitals tend to have better facilities, higher quality programs, and larger monetary commitments to regulatory requirements such as the Affordable Care Act (ACA) and HIPAA. Moreover, their centralized IT departments can handle data security concerns across different locations.
On the other hand, there is also the increasing risk of a breach from incorrect disposal in system hospitals. With more patient data across multisite campuses, system hospitals can face difficulty ensuring that various employees properly dispose of PHI.
Vulnerabilities of teaching hospitals
Teaching hospitals also proved vulnerable to breaches, especially due to improper data disposal. Teaching hospitals typically generate a high volume of patient data and contain many stakeholders who have access to sensitive information, such as faculty and medical staff, students, and trainees.
The research suggests that "leaders of such institutions might examine who specifically is causing this type of breach" and offer training in data handling and disposal protocols. These institutions must show "best practices with respect to HIPAA compliance and breach avoidance."
How hospitals can reduce HIPAA violations
The sociotechnical approach
Most data breaches were related to hacking, theft, mishandling of emails, and unauthorized access to accounts. Therefore, the study recommends using a sociotechnical approach to address these challenges.
For example, even if a hospital has a highly developed cybersecurity system, if their employees are either not trained to avoid phishing or are inconsistent with data handling protocols, breaches can still occur.
The sociotechnical approach incorporates technology with behavioral guidelines. For hospital leaders, a sociotechnical approach begins with looking beyond the promises of vendors who say their EMR systems are foolproof.
As the report states, "With the advent of HIPAA came a number of companies marketing numerous EMR systems all promising to effectively deal with the mandates appropriately and make clinicians' lives easier."
EMR systems, while being an intrinsic part of compliance, only work if the hospital’s training and overall approach to data security is sufficient.
Policy implications
Data breaches continue to rise, even with the U.S. government's attention to developing and implementing policies for protecting patient health information, including HIPAA and HITECH.
As the research states, "previous iterations of the law might have offered a foundation toward protection but clearly have not adequately addressed the social challenges where our research noted breaches are occurring."
As the report showed, "With respect to the socio-technical approach, it appears that the legislation may have missed the social issues within the implementation process and there are clearly gaps that need to be addressed."
Ultimately, closing these gaps will require a holistic view of healthcare data security that respects the limitation of technology and concentrates on human factors in breach prevention.
Healthcare leaders must work with policymakers for regulations that reflect real-world modern healthcare environments and offer solutions to mitigate hacking, improper disposal, and other types of breaches.
Related: Understanding HIPAA violations and breaches
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for safeguarding protected health information (PHI). HIPAA mandates that healthcare providers, insurers, business associates, and some federal agencies safeguard patients' PHI during transit and at rest.
What is PHI?
Protected health information (PHI) includes any information on a patient's health status, medical treatment, or payment for healthcare that can identify the individual. It includes names, addresses, birthdates, Social Security numbers, medical records, and other personal identifiers tied to healthcare services.
