HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

9 Out of 10 Data Breaches Could Have Easily Been Avoided

Take a look at the healthcare data breach entries in the OCR web portal for 2015 (or any year) and you will notice the same types of data breaches are repeated time and again. The vast majority of those data breaches are avoidable.

A large percentage involve the loss of portable storage devices such as zip drives and hard drives. Many cite stolen devices, with laptop theft particularly common. Then there are mistakes made with the configuration of servers and firewalls that have accidentally been switched off. Patches are not installed promptly leaving security vulnerabilities that can all too easily be exploited. Passwords are set that are too easy to guess, default logins are not changed, and risk assessments are not being conducted regularly.

It may not always be possible to prevent a successful cyberattack, but it is possible to prevent the vast majority of data breaches.

Study Finds 9 out of 10 Data Breaches Could Easily Have Been Avoided


In fact, 9 out of 10 data breaches could easily have been avoided according to a study published by the Online Trust Alliance (OTA). The study assessed the reported data breached from the first 6 months of 2014 and found that in 91% of cases the breaches could have easily been prevented.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

With hindsight, it is easy to say that a breach could have been avoided; however, the study showed that in the majority of cases data exposure could have been avoided by applying basic and well established security practices.

Some of the basic security measures include installing software patches when they are released. All too often patches are not installed promptly and software is not upgraded, even when organizations are provided with ample notice that software support will be retired.

The risk of zip drives and portable storage devices being lost or stolen is particularly high, yet alternatives are not explored and data encryption has not been implemented. In the study, 18% of breaches were the result of lost and stolen devices used to store sensitive data. Only when a breach is suffered do many healthcare organizations decide to encrypt their portable storage devices.

Social engineering was used in 11% of breaches. Training on anti-phishing strategies and how to identify social engineering scams could have prevented the vast majority of these data breaches.

Human Error Causes the Majority of Data Breaches


OTA assessed more than 1,000 data breaches that occurred between January and June 2014. While hacks often make the headlines, they only accounted for 40% of the breaches studied, and even then many of those were easily avoidable had precautions been taken and security holes plugged.

Risk assessments are still not being conducted regularly, and oftentimes they are not fully comprehensive. 29% of data breaches were caused by employees stealing or leaking data. In the case of the latter, training could have prevented a considerable proportion of those data breaches. In the case of the former, tighter controls over the data employees were allowed to access prior to their departure could have prevented data theft.

The study may not have assessed the most recent breaches, but the same errors are being made time and again. The study is just as relevant in 2016.

To help organizations keep data secure, OTA has released a new set of best practices. If followed, they can help organizations improve their security posture. Further information can be found on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.