The healthcare sector continues to be the industry suffering one of the highest costs of a data security breach. Healthcare lags behind other industries in cybersecurity preparedness despite advances in cybersecurity technologies. Technical safeguards to protect electronic health records must be combined with human behavioral interventions to promote a robust cybersecurity plan. Using data from the United States Department of Health and Human Services, we conducted an exploratory analysis of past data breaches in healthcare organizations from January 2015 to December 2020 to explore the extent to which human elements played a role in data security incidents. We found that a vast majority of health records were compromised due to poor human security. The mean number of records affected by a breach due to unintentional insider threats is more than twice that of breaches caused by malicious intent such as external cyberattacks and theft. Our findings also indicate that, on average, more patient records are compromised from falling for a phishing scam than any other reason. We argue that proper cybersecurity contingency plans in healthcare must include human behavioral interventions that go beyond technical controls.
Keywords: cybersecurity; healthcare breaches; human factors; insider threats.
Copyright © 2022 by the American Health Information Management Association.