It doesn't take the stealth of a cyberattacker to cause a healthcare data breach. Typical workplace occurrences like leaving a sensitive document on a printer tray also can lead to data breaches.
And in healthcare organizations, it happens more than you think.
Seven in 10 managers at healthcare organizations have seen or picked up documents containing confidential or sensitive information left in the printer. Close to two-thirds (63%) say they are concerned their employees or contractors have printed and left behind a document that could lead to a data breach, according to a survey by the Ponemon Institute. The survey was compiled in a report by Shred-It, an information security service.
This seemingly innocent workplace mistake isn’t the only thing threatening information security. More than 3 in 4 (78%) managers admit they have accidentally sent an email containing sensitive information to the wrong person. What’s more, 84% have received an email containing sensitive information from someone within or outside of their organization they were not intended to receive.
Despite widespread adoption of electronic health record systems, most hospitals still use both paper and electronic documents for patient care. Healthcare cyberattacks overall are on the rise, with nearly 32 million patient records breached in 2019—double all of 2018.
There were 81 healthcare data breaches of physical protected health information such as charts, documents and films last year, according to data from the U.S. Department of Health and Human Services' breach portal. Paper/films were involved in 22% of breaches.
Recent research also found that 71% of hospital data breaches, affecting 159 million patients, exposed sensitive demographic or financial information that could be exploited for identity or financial fraud.
The Ponemon Institute/Shred-It survey includes responses from 650 IT security and non-IT professionals in North America in a range of industries, including healthcare.
Sixty-nine percent of healthcare tech and business managers reported that their organization had experienced at least one data breach in the past 12 months, and nearly 3 in 4 (70%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information. The majority (74%) of those lost or stolen documents contained consumer/customer information or financial information, according to the survey.
About two-thirds of healthcare managers surveyed said they are not confident that their organization is able to govern the use, protection and disposal of paper documents. That's particularly concerning in an industry that often still uses paper documents to record patient information.
Only 36% of healthcare managers say they shred confidential paper documents after reviewing them; the others said they recycle it, keep it or throw it in the garbage. Half of healthcare managers also said their organizations do not have a process for disposing of paper documents containing sensitive or confidential information after they are no longer needed.
More than half of managers (61%) report that employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.
Employee negligence, intentional or not, can be a leading contributor to data breaches, noted Ann Nickolas, senior vice president, Stericycle, the provider of Shred-it information security solutions. Businesses should equally consider the needs for cybersecurity and physical information security within their organization, Nickolas said.
“Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches," she said.
The report outlines steps organizations can take to implement better security standards for their employees to protect confidential and sensitive information.
An on-site information security risk assessment can help identify what practices and procedures are putting an organization at risk and provide recommendations to mitigate them, the report said.
Organizations also should develop awareness training for employees and implement workplace privacy policies.