Survey Shows Employee Error Continues to Be a Greater Cyber Threat for Many Firms

In previous articles, we’ve discussed the prevalence of data breaches in the health care industry and the importance of having a strong cyber risk management and insurance program in place.  We’re revisiting the topic in the wake of a new survey of compliance professionals conducted by the Society of Corporate Compliance and Ethics® and the Health Care Compliance Association to better understand the impact and frequency of data breaches. The organizations first conducted the survey in 2012 and then again late last year to see if anything had changed during the last four years. Surprisingly enough, they found that very little has changed during this time with regard to managing this issue and the number of incidents that have occurred.

Some of the key findings from the survey include:

  • Although front-page news features cyber attacks by hackers (including at health care organizations and providers across the country) almost daily, the likeliest cause of a data breach is due to employee mistakes. Lost files and devices continue to be a far greater day-to-day threat than hackers. Survey respondents reported that 20% of breaches were due to a lost device and 45% said lost paper files by employees was the source of the organization’s breach. Only 17% reported that a hacker was responsible for the breach.
  • Because the majority of data breaches are at the hands of employees, greater consideration should be given to training and how they handle data. This means better education and training by organizations, including home health care providers, is needed to assist in mitigating breaches. Also, providers should carefully look at who has access to what data to see where vulnerabilities exist.
  • Respondents, which included private and public companies, non-profits and government entities, reported a lower incident rate from 2012, although other reports indicate that in the health care industry, breaches are at an all-time high. The HIPAA Journal, for example, said that more healthcare data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the first nine months of 2016 than in all of 2009 through 2013. At the time of the report, the OCR had been informed of 243 healthcare data breaches. Regardless of the number of incidents, the bottom line is that data breach incidents are expensive and disruptive to organizations, particularly when as a result of a hacker. When a hack occurred (versus an employee error), the Society of Corporate Compliance and Ethics® and the Health Care Compliance Association survey showed that 80% of the time, expenses were incurred and IT had to take the lead in remediation.
  • Should data breaches increase as a result of external threats as the main cause of data incidents, IT is expected to take more of a leadership role over compliance to prevent, find and fix problems.

Mitigating cyber risks from all fronts – whether due to employee error or external threats – is an integral part of any health care organization’s risk management and compliance plan. This includes home health care providers and hospices, which possess a patient’s protected health information (PHI) – valuable data that can land in the wrong hands if not properly handled. Not only does an organization face regulatory investigations and potential HIPAA and HITECH fines and penalties if data is breached, it also will incur significant expenses to remedy the situation, including the costs involved in patient notification, credit monitoring, crisis management, and business interruption, among others. Cyber Liability insurance is designed to address these and other costs.

About Manchester Specialty

At Manchester Specialty, we specialize in providing end-to-end insurance solutions for the home health care industry including Cyber Liability. Additionally, we offer access to invaluable cyber risk management and loss prevention assistance through our insurance carrier partners and third-party consultants that includes services such as computer forensics to vet the source of the breach and assess the damage, mandatory breach notification, remediation and resolution services, and crisis communication expertise. For more information about our business insurance lines, you or your local agent/broker may contact us at 855.972.9399.