Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis

ABSTRACT

According to the report, healthcare continues to be the industry suffering the highest cost of a data breach at $7.13 million when factoring in other costs such as incident response, lost business, and notification costs. The cost of healthcare breaches is expected to increase during the COVID-19 pandemic, as 76 percent of HCOs in the survey predicted that implementing an incident response strategy will be made much more difficult by the ubiquity of remote work during the pandemic.2 Most healthcare executives lack overall information security, employee security awareness, and incident response strategies.3 Breaches related to EHR can significantly affect HCOs, such as the accidental release of PHI to disruptions in clinical care.4-6 Disruptions and delays in patient care can result in patient death, and the impact on patient safety is likely to be underreported.7 Federal compliance laws such as Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act were enacted to require the adoption of electronic medical records and protect privacy and data security of PHI.8As required by section 13402 (e) (4) of the HITECH Act, The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The HIPAA Security Rule requires healthcare organizations and covered entities protect electronic personal health information from cybersecurity threats.9 It also imposes administrative, technical, and physical standards for safeguards that organizations must implement. The OCR publishes details of these reported breaches beginning October 2009 and makes the dataset publicly available.10 It includes reports from HCOs that have suffered breaches that compromised 500 or more EHRs. Since the law requires HCOs to notify HHS in the event of a violation, we believe that this nationwide sample is sufficiently representative of the population of EHR-related breaches in healthcare, with some limitations.