Human Error, Not Hacking, Most Common Cause of Data Breaches at VA Hospitals
The growth of health IT has brought new clinical and administrative capabilities to healthcare delivery, increasing efficiency and allowing data-driven care. But security remains a serious problem – especially for the Veteran’s Affairs Healthcare System. A recent audit by the VA OIG listed the health system’s IT security as a material weakness, specifically in protecting financial information. Various factors, including periods of poor management, inadequate funding, and its sheer scale, have made it difficult for the VA health system to modernize its information security infrastructure. However, a review of the VA health system’s record of large-scale breaches suggests that human error and improper protocols are a greater cause of violations than sophisticated attacks like hacking or non-opportunistic theft.
Of the 26 breaches affecting over 500 people, VA hospitals reported from 2010 until the present, most were classified as unauthorized disclosure or theft, with a few falling into the categories of improper disposal and loss. While not every incident includes details, there are enough to gauge the nature of each type of breach. In most cases of theft, carelessness was the primary culprit. In one case of a 2011 theft at the VA Caribbean Health System, an employee left a bag of documents containing information on over 6,000 veterans at a nurses’ station. In another, an employee of VA Eastern Colorado Healthcare System left a box of paper records on over 600 patients in a parking garage for four days before it was eventually discovered. At least one case was a deliberate theft, such as in 2013 when a laptop with 7,400 patient records was stolen from the Dorn Veteran’s Affairs Medical Center lab and never recovered. Only a few instances of unauthorized disclosure were detailed and consisted of one case in which paper records were placed in an outside dumpster, and another where a hospital mailed 2,000 letters printed on paper that contained private patient information on the reverse side.
OCR-Reported Data Breaches by Type, VA and Other Hospitals, 2010-present*
|Type||VA Hospital Data Breaches||All Other Hospital Data Breaches|
|Total Unauthorized Access/Disclosure||8||293|
|Median Patients Affected/Breach (All types)||1,306||2,081|
Source: Definitive Healthcare, Office of Civil Rights
*Only includes breaches affecting > 500 patients
Unlike most hospitals’ reports of serious data breaches, only one of the 26 VA’s cases resulted from hacks. (Suspected widespread hacking of the VA in by foreign countries starting in 2010 was not included in the OCR reporting.) The incident, which compromised information on over 7,000 veterans, occurred in late 2014 due to security vulnerabilities on an online benefits platform developed by a third-party. The rate lies in stark contrast to the rest of the hospital industry, in which hacking is the third-largest classification of data breaches. The reason for the difference isn’t immediately clear. Recent audits on the VA’s overall IT security have noted the organization’s ongoing struggle to meet Federal Information Security Management Act guidelines, such as strong employee password discipline. It’s possible that, as a unified system, the VA has more robust protection against hacking threats in particular than many small, private hospitals that don’t have similar resources.
The VA is not alone when it comes to human error, or at the very least, failure to take sensible precautions, as it is considered the most common cause of data breaches among all hospitals. While seemingly unavoidable, human error’s contribution to privacy breaches can be minimized with investments in security and processes. For instance, paper/films ties with laptops as the most common medium stolen, lost, or improperly disclosed among healthcare providers, according to the OCR’s record of incidents affecting 500 or more people. Limiting production or access to paper records or film printouts of scan results can lower the chance that they will be lost or disposed of properly. And while laptops are often indispensable and pose a substantial loss or theft risk, encrypting data or restricting local data storage can reduce the chance that any patient information can be extracted. The VA learned this the hard way in 2006 after an unencrypted laptop containing information on 26.5 million veterans was stolen from an employee’s home, an event that led the VA to pay a $20 million settlement to affected patients. While the VA has not had such a significant breach in many years, the system still has considerable progress to make.
Definitive Healthcare has the most up-to-date, comprehensive and integrated data on over 7,700 hospitals, 1.4 million physicians, and numerous other healthcare providers. Users can search for facilities using a variety of different technology metrics, such as vendor, estimated IT spending and budget, and data breach history.
For more information on the top EHR deployments at acute care facilities, download our featured report.