The Top Causes of Medical Data Breaches: How to Protect Your Devices


You’ve seen the news stories. Millions of medical records stolen by hackers and we can’t extradite them to face justice. Instead, they net tens of millions of dollars on the theft and go looking for more.

“Hackers” brings an image to almost everyone’s mind. An anonymous man wearing a Guy Fawkes mask, a young lady navigating superfluous 3d wireframe buildings, a disgruntled unemployed troublemaker, or a group of friends stuck in a basement lacking all necessities but owning an invaluable Internet connection.

The nightly news teaches us that these terrifying hackers knock out mega corporations with precision and ruthlessness. And so when we hear the term “breach,” we’re often reminded of mega corporations getting hacked by crafty, unethical, foreign nerds. Sue, who has dedicated a decade to working your front desk, is the furthest person in our mind to be the nefarious attacker. She’s even the furthest from her own mind.

But the truth about data breaches in America can be revealed in the numbers.

From all resolved HIPAA breaches in the country, only about a quarter are caused by hacking or IT-related events. Indeed, out of all single-cause breaches, 69% are caused by other events. And often, policies that can be successfully taught and followed could have prevented many of these breaches from occurring. Moreover, many surgery centers and physicians’ offices have made the list.

In our example above, Sue could leave a patient record unattended on the front desk. She could forget to lock up. She could forget her purse at Applebee’s with that flash drive in it.

These types of instances are far more likely to occur than a hack. So it’s important to tackle these issues before they become a visit by the Office for Civil Rights.

During your next policy review, identify which specific policies you have in place to prevent theft, loss, improper disposal, and unauthorized access and/or disclosure. Your policies should include specific procedures that can actually be followed and will actually reduce risk.

I’ve seen policies so complex and impractical that nobody could ever follow them. And I’ve seen policies so vague or watered-down that they are ineffective at reducing risk. You will need to find the middle ground of a policy that can affect change, reduce risk, and secure your patients’ ePHI.

After your policies are prepared, you need to educate your staff and test them on their knowledge. Some staff members will take naturally to the changes. Others will require more time to apply the new policies to their work. But if it’s a good policy, every reasonable person will be able to follow the policy 100% of the time.

Lastly, your policies need teeth. When a policy is not followed, it’s important for appropriate repercussions, which may include re-education, loss of privileges, mandatory time off, reassignment, or termination.

With these policies in place, if you should have a breach, the OCR will likely be far more merciful than if they were not in place. It could even be the difference between staying in business and closing shop.

If you need help preparing your medical device security policies, we can help.

Written By: Ben Archambault, IT Manager

Causes of Breaches, data source: