Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis

Abstract

The healthcare sector continues to be the industry suffering one of the highest costs of a data security breach. Healthcare lags behind other industries in cybersecurity preparedness despite advances in cybersecurity technologies. Technical safeguards to protect electronic health records must be combined with human behavioral interventions to promote a robust cybersecurity plan. Using data from the United States Department of Health and Human Services, we conducted an exploratory analysis of past data breaches in healthcare organizations from January 2015 to December 2020 to explore the extent to which human elements played a role in data security incidents. We found that a vast majority of health records were compromised due to poor human security. The mean number of records affected by a breach due to unintentional insider threats is more than twice that of breaches caused by malicious intent such as external cyberattacks and theft. Our findings also indicate that, on average, more patient records are compromised from falling for a phishing scam than any other reason. We argue that proper cybersecurity contingency plans in healthcare must include human behavioral interventions that go beyond technical controls.

Introduction

The digitization of medical records has changed the landscape of healthcare systems worldwide. With the advent of the information age, paper-based healthcare records were gradually and systematically converted into digitized electronic health records (EHRs). In the last two decades, the push toward resource sharing in technology is revolutionizing the healthcare sector by providing an efficient way of sharing patient records between healthcare professionals. Compared to paper-based records, EHRs require less manpower, time, and physical storage. Caregivers and providers use EHRs to access care-related activities and provide evidence-based decision support and quality care.¹ However, the ease of access to EHRs is accompanied by rising cybersecurity threats and challenges.

In the annual “Cost of Data Breach” report conducted by the Ponemon Institute, the 2020 study noted that each compromised record cost an average of $146 to the healthcare organization (HCO). That figure increases to $150 per compromised record where personal health information (PHI) was involved. According to the report, healthcare continues to be the industry suffering the highest cost of a data breach at $7.13 million when factoring in other costs such as incident response, lost business, and notification costs. Eighty percent of the breached organizations participating in the study reported that PHI was involved. The cost of healthcare breaches is expected to increase during the COVID-19 pandemic, as 76 percent of HCOs in the survey predicted that implementing an incident response strategy will be made much more difficult by the ubiquity of remote work during the pandemic.² Most healthcare executives lack overall information security, employee security awareness, and incident response strategies.³ Breaches related to EHR can significantly affect HCOs, such as the accidental release of PHI to disruptions in clinical care.⁴, ⁵, ⁶ Disruptions and delays in patient care can result in patient death, and the impact on patient safety is likely to be underreported.⁷

Federal compliance laws such as Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act were enacted to require the adoption of electronic medical records and protect privacy and data security of PHI.⁸ As required by section 13402 (e) (4) of the HITECH Act, The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The HIPAA Security Rule requires healthcare organizations and covered entities protect electronic personal health information from cybersecurity threats.⁹ It also imposes administrative, technical, and physical standards for safeguards that organizations must implement. These entities must implement data security safeguards to protect PHI, such as medical records and insurance information. This paper presents an exploratory analysis of past EHR breaches in the United States from 2015 to 2020. By exploring the factors that led to violations, executives and decision-makers in HCOs can apply lessons from these breaches in securing their organizations.

Research Question

We investigated the extent to which the lack of proper human security enabled data breaches in HCOs. Our research questions were thus:

1. To what extent did the lack of human security result in data security breaches in healthcare records?

2. On average, how does the lack of human security affect the number of records breached in a cybersecurity incident in healthcare?

We hypothesized that data breaches in healthcare caused by unintentional human factors, such as carelessness, negligence, and falling victim to phishing and ransomware, outnumber those caused by malicious intent. The following sections discuss our observational study results and help research determine solutions for incorporating human security into organizational policies. We argue that any security framework must emphasize securing the human in HCOs.

Classification Method

We conducted an exploratory study on the factors that play a role in EHR-related cybersecurity breaches. HCOs are required by law to notify the OCR after a breach compromising EHRs and PHIs. The OCR publishes details of these reported breaches beginning October 2009 and makes the dataset publicly available.¹⁰ It includes reports from HCOs that have suffered breaches that compromised 500 or more EHRs. Since the law requires HCOs to notify HHS in the event of a violation, we believe that this nationwide sample is sufficiently representative of the population of EHR-related breaches in healthcare, with some limitations. Our analysis used a methodology based on the Joanna Briggs Institute (JBI) approach, which provides an evidence-based process for qualitative research.¹¹ We modified a similar method by Walker-Roberts et al.¹² in our classification process. Figure 1 shows a graphical representation of the flow process, which describes how we identified and screened each entry in our dataset for inclusion in the exploratory analysis. Our criteria for inclusions were that entries:

• Included valid and clear descriptions of the breach incident.

• Occurred between January 1, 2015, and December 31, 2020, inclusive

• Constituted a breach as defined under HIPAA. Entries alleging violations by entities not covered under HIPAA, or those determined by OCR to have not violated any HIPAA rules, were excluded.

Figure 1.

Entry Inclusion Flow Diagram, Adapted From the Joanna Briggs Institute Approach to Qualitative Analysis

We limited our analysis of the OCR dataset to the years spanning January 2015 to December 2020; after removing incomplete records and other entries that do not constitute a breach of PHI, the resulting set of data contained 1,485 security incidents. The data was then analyzed to determine the type of the cybersecurity breach. Entries were categorized based on the presence or absence of malicious intent. In 15 cases, we could not establish those criteria based on the incident descriptions provided in the original dataset. These cases were noted with an “Insufficient information” designation. Once the type of breach has been identified, we further classified each entry into the primary source or cause of the breach for analysis. Table 1 describes in detail our classification methods for each entry.

Table 1.

Classification of Reported Breaches into Categories

Source of Breach	Criteria for Inclusion	Example Entries
Carelessness/Negligencea	Generally used terms such as “inadvertently” and “accidentally” Exhibited the common trait of unintentional violation of established policies	“The covered entity (CE) … reported that its business associate (BA) … impermissibly mailed the protected health information (PHI) of 802 individuals to the wrong recipients.” “… a workforce member inadvertently emailed a spreadsheet containing the protected health information …” “… emailed patients without using the blind-copy function …”
Phishing and ransomwarea	Explicitly stated phishing or ransomware as the primary cause of the breach	“… reported that its business associate (BA) experienced a ransomware attack affecting the electronic protected health information (ePHI) of approximately 15,680 individuals.” “… an employee was the victim of an email phishing scheme that affected the electronic protected health information (ePHI) of 685 individuals.” “The covered entity's (CE) computer system was attacked by a ransomware virus that encrypted files … and damaged the network operating system rendering all of the CE's files unusable.”
Technical improper disclosurea	A result of coding impropriety, software bugs, and insecure configurations that led to PHI exposure Generally described as occurring due to technical errors or misconfigurations	“The covered entity (CE) … reported that unauthorized individuals accessed protected health information (PHI) due to a system administrator's incomplete installation of a web content management platform.” “… the business associate (BA), reported that an employee inadvertently misconfigured the settings on one of its computer servers, which made the server accessible over the Internet.” “The covered entity (CE) … reported that a programming error exposed the electronic protected health information (ePHI) of 11,536 individuals via its mobile application.”
Cyber-attack or external hacking attemptsb	Generally used terms such as “victim of a cyber-attack” and “hacking attempt” by external threat actors towards the organization Unlike phishing or ransomware, there were no clear enabling actions by employees, vendors and other internal actors	“… the covered entity (CE), reported that it was the victim of a cyber-attack involving the electronic protected health information (ePHI) of 20,418 individuals …” “The covered entity (CE), … reported that its business associate (BA) … was the victim of a cyber-attack involving the electronic protected health information (ePHI) of 33,730 individuals.” “the covered entity (CE) … discovered a cyber-attack as the malware was in the process of encrypting information in the CE's computer system… . Its investigation revealed that the cyber-attack's likely entry point was via remote desktop connection.”
Malicious insiderb	Described direct actions by an employee or business associate that facilitated a cyber breach for personal gains or the enrichment of another individual/entity	“… an employee emailed the protected health information (PHI) of 950 individuals to other members of a research study without authorization.” “… an employee … was arrested for fraud and the CE subsequently determined that she impermissibly accessed and used at least one patient's protected health information … ” “… an employee improperly disclosed protected health information (PHI) with the intent to sell it to an unauthorized third party.”
Theft	Described incidents such as burglary and physical theft by external actors	“… the covered entity (CE), reported that a computer was stolen that contained 27,113 patients' files of a newly acquired medical practice …” “… unknown persons broke into the covered entity's (CE) legal and audits offices, ransacked the offices and paper files, vandalized property, and started a fire that set off the building's sprinkler system, which caused water damage to many documents and workstations.” “… the covered entity (CE), reported that documents containing the protected health information (PHI) of approximately 616 individuals was stolen during looting due to civil unrest …”

^aUnintentional human factors.

^bMalicious human factors.

Results and Discussion

We studied 1,485 breach events occurring between January 2015 and December 2020, affecting 141,252,797 medical records. Of that number, 73.1 percent of all affected records resulted from breaches caused by unintentional factors, while 26.7 percent were caused by malicious factors. Figure 2 shows the resulting classification of the sources of EHR breaches in HCOs and their frequency of occurrence in the United States from January 2015 to December 2020. We found the most frequent reason for a cyber breach in HCOs is the result of carelessness and negligence (382 incidents), followed by theft (222 incidents), and falling victim to a phishing scam (221 incidents). Similarly, Table 2 shows the total number of records affected by each breach categories based off our classification method.

Figure 2.

Number of EHR Breach Incidents by Source of Breach from January 2015 to December 2020

Table 2.

Number of Affected Records by Type and Source of Breach

Type of Breach	Cause of Breach	Number of Records Affected	Percentage of Total Records Affected
	Carelessness/Negligence	2,553,710	1.81%
	Technical improper disclosure	2,461,813	1.74%
Unintentional	Phishing	93,248,376	66.02%
	Ransomware	4,780,329	3.38%
	Other	432,399	0.31%
	Total	103,196,622	73.06%
	Cyber-attack/Hack	30,114,246	21.32%
Malicious	Malicious insider	5,199,447	3.68%
	Theft/Burglary	2,455,155	1.74%
	Total	36,768,848	26.03%
Insufficient information		287,327	0.20%
Total number of records		141,252,797	100.00%

Carelessness/Negligence

Existing literature on insider threats generally assumes that individuals who commit cybersecurity transgressions do so due to an ulterior motive that is typically accompanied by malicious intent or the desire to enrich themselves for financial or personal gain.¹³ However, our dataset analysis revealed that 382 incidents, or 26 percent of all human factor-based breaches, were due to an insider's carelessness, negligence, or apathy. In each of these cases, no malicious intent was visible in that there was no intent to access patient data, but a data breach occurred. Employees or business associates may partake in risky cybersecurity behaviors due to a high risk tolerance or the desire to be efficient or helpful.¹⁴ In some cases, employees may inadvertently circumvent established policies because they view those policies as cumbersome or unrelated to patient outcomes.¹⁵ This paper does not intend to define a framework for what constitutes an insider threat but rather to show that carelessness and negligence stemming from risky behaviors, lack of awareness, and apathy are essential domains of human security.

Of the 382 incidents stemming from carelessness or negligence, 212 (55.5 percent) were incidents whereby an employee or business associate erroneously mailed or emailed PHI to the wrong recipients. Some were caused by misalignment in the printing process or information mismatched with patient data. In other cases, PHI may have been mailed to the correct recipients but done so in a manner that unintentionally exposed the PHI in transit.

Misplaced hard drives or documents containing PHI lost in the mail or transit were described in 71 incidents. In most of these cases, the covered entities never recovered the lost records. According to the dataset, some of these losses were attributed to carelessness on behalf of an employee. We note that we did not include cases where external individuals deliberately stole PHI during a burglary; these entries were classified under the “Theft” source of breach category due to the clear presence of malicious intent. These cases are therefore distinguished from incidents where PHI was lost due to negligence or carelessness. In a further 59 incidents, PHI was unintentionally and improperly exposed by individuals who uploaded the data onto publicly accessible websites or databases without taking security steps such as encrypting or sanitizing the data beforehand.

These accidental transgressions led to tangible consequences for both the offending employee(s) and the organization. According to the HHS dataset, consequences included penalties ranging from reprimand and retraining of the individual(s) to the suspension or termination of employment, depending on the severity and impact of the risky behavior. In addition, under HIPAA, organizations face substantial fines for noncompliance with the HIPAA Privacy Rule. In a February 2022 update, the OCR noted that since the compliance date of the Privacy Rule in April 2003, it has imposed civil penalties totaling $131 million to organizations for non-compliance.¹⁶

Phishing/Ransomware

Falling victim to a phishing scam made up most of the number of EHRs affected in our dataset. There were 221 incidents directly attributed to phishing scams, and 119 reported breaches were related to ransomware. Together, they make up 40.7 percent of all non-malicious events in our chosen time range. Our analysis combined phishing and ransomware incidents because a cybersecurity victim's vector to produce that outcome is similar. Phishing, which is the act of tricking a user into disclosing confidential information¹⁷ through a legitimate-looking email or link, is the vehicle that delivers the ransomware payload.¹⁸

In a phishing attack, one compromised credential can lead to multiple subsequent attacks, as we saw in Anthem Inc. in 2015,¹⁹ whereby a targeted spear-phishing campaign opened the door to further parts of its network. During the attack, 78,800,000 affected records were attributed to Anthem's breach incident as corroborated by the OCR dataset. Anthem had disclosed that it had suffered a data breach that affected almost 80 million customers.²⁰, ²¹ Anthem discovered that the attackers had managed to obtain several employees' credentials, possibly through a phishing attack in their investigation. Once the attackers had obtained the credentials, they ran several data queries between December 2014 and January 2015. The database credentials would then be trivial to access using the stolen credentials.²² Eventually, the attackers could access Anthem's enterprise data warehouse containing personally identifiable information (PII) and stole almost 80 million unique user records.²³

Although the Anthem incident may seem like a statistical outlier, we argue that, on the contrary, it further underscores the gravity of falling victim to a phishing attack. One phishing incident led to the most significant cybersecurity breach in the healthcare industry. Victims of phishing, ransomware, and other social engineering attacks become a new vector or vehicle to launch more in-depth and large-scale attacks.²⁴ Once in the system, the attackers ran queries and worked from there to gain higher-level access. The Anthem administrator who found the breach noticed that his password was used to run queries that he did not initiate.²⁵ The ability for an administrator's password to be used in this manner points to a possible flaw in Anthem's data management policy; actions executed by elevated privilege accounts should always be accompanied by some form of additional verification or authentication beyond a simple password requirement. While it cannot be said definitively that the presence of an additional authentication factor would have prevented the breach, it would have been an extra layer of defense against the attack.

Malicious Insider

Malicious insiders refer to individuals with knowledge or access to internal systems or networks, who then commit cybersecurity crimes with the express intent of enriching themselves for financial, personal, or other gains.²⁶, ²⁷ As we noted earlier in this paper, the allure of economic gains from PHI on the black market may drive individuals to commit cybercrime. However, malicious insiders may have motives other than profit, such as disgruntled employees attempting to exact revenge for a perceived wrong or a sense of entitlement. Cybersecurity controls typically are designed to thwart external attacks, and there are few, if any, technical controls that specifically defend against internal threats.²⁸ Insiders have a crucial advantage: They are generally knowledgeable about systems and processes in the organization and may have varying administrative access levels that external actors do not.

To illustrate this, we found that in our analysis of the OCR dataset, there were 217 incidents of malicious insiders, affecting a total of 55,199,447 records. In as many as 170 of these cases, employee(s) of the HCO accessed PHI without a legitimate business need.

Other Sources of Breach

Under the “Unintentional” type category, the source of a breach in a total of 32 incidents was something other than the abovementioned categories. Since there were relatively few of these, we combined and classified these entries as “Other” in our analysis. In three incidents, the breaches were caused by employees falling for a social engineering attack. Social engineering, which is an umbrella term that includes phishing and ransomware, describes a process whereby an attacker uses social interaction to deceive and obtain sensitive information from a victim.²⁹, ³⁰, ³¹ For instance, an attacker may pose as an authorized individual and trick a user into divulging credentials to an internal network. In the OCR dataset, due to the prevalence of healthcare breach incidents caused by falling victim to phishing or ransomware attacks, we distinguished these categories from the more broadly applicable social engineering category. Ten incidents in the “Other” category stemmed from a lack of a business associate agreement between a covered entity and its business associate. Under the HIPAA Rules, a business associate agreement must be executed to ensure that any business entity that establishes a relationship with a covered HCO will commit to safeguarding PHI. Other incidents include breaches due to miscellaneous policy violations (eight occurrences), unintentional physical exposure of PHI (five occurrences), easily guessed passwords (four), and natural disasters (two).

Across all incidents, the OCR dataset shows that from 2015 to 2020, the mean number of records affected by unintentional factors is 123,446, more than twice that of the mean caused by malicious factors. Figure 3 shows the mean number of records affected when considering the type of breach. A closer look at the subfactors shows that phishing and cyberattacks led to the highest mean number of records affected at 421,038 and 153,644 records. Figure 4 breaks those categories down further into its subcategories based off our classification method and shows the mean number of records affected by each subcategory.

Figure 3.

Mean of Records Affected per Incident by Type of Breach

Figure 4.

Mean of Records Affected per Incident by Source of Breach

Conclusion

As healthcare services evolve in technology and coverage, they aim to provide a variety of treatments in order to accommodate diverse patient demographics. This was especially noticeable with the influx of patients impacted by the COVID-19 global pandemic. Due to the volatile and unpredictable nature of the virus, healthcare providers were forced to find alternative means of treatment in order to adequately provide necessary services to their patients. This included an increase of services, which entailed the usage of tools such as technology through cloud-based data inference, surveys, COVID-19 screening symptom checklists, and virtual appointment services. Such alternative means of seeking treatment were designed to minimize risk of exposure to patients, healthcare providers, and workers. With the increase in telehealth services, many healthcare workers began to perform remote work during the pandemic.³² The Federal Bureau of Investigation (FBI) have reported that cyberattacks have increased almost 400 percent by the first few months of the pandemic.³³ In addition, the rise of telehealth means that many remote employees are now using their personal computers and home networks to perform their jobs. HCOs with essential workers working on-site are also grappling with the necessity of “bring your own device” (BYOD) policies to maintain patient care and outcome pre-pandemic. Working remotely means that HCOs have to deal with significant amounts of data being sent over the network off-premises in remote locations. In addition to expanding the attack surface for cyber criminals to take advantage of,³⁴, ³⁵ these developments and decentralized resources also increase the risk of accidental exposure of PHI as telehealth signals a necessary paradigm shift in providing patient care.

Data breaches in healthcare are incredibly lucrative as pathways to identity theft on the black market. According to Verizon's latest data breach report, published in May 2021, 85 percent of all breaches involved a human element, and during the COVID-19 global pandemic, phishing continued to be one of the most commonly employed methods in a data security incident across all industries. The report also indicated that ransomware has jumped to third place in terms of the most frequently occurring source of breaches. Similarly, the Healthcare Information and Management Systems Society (HIMSS) released a survey report stating that phishing is the most common attack vector in healthcare.³⁶ This finding is consistent with our discovery with the OCR dataset. We showed that, on average, more EHRs are compromised to a phishing scam (mean of 421,938 records affected) than any other reason. We also noted that in the time range of our analysis, carelessness, negligence, and phishing were the most frequently occurring sources of EHR breaches.

The discourse on data breaches and EHR exposure has changed from “if” to “when” an HCO will experience a data breach. Based on our observational study of the OCR dataset, threats involving human elements continue to be significant risk factors for EHR breaches. An organization's ability to train and impart information awareness to its employees' behaviors is paramount in the fight against cybersecurity attacks on HCOs. A survey conducted in Germany by PricewaterhouseCoopers (PwC) revealed that a staggering 87 percent of participants believe that better education for medical staff is crucial to an HCO's cybersecurity hygiene.³⁷ Phishing as a security incident is not new, yet the fact that it remains one of the most common occurrences of data breaches suggests that it may not be taken as seriously as it should be. Organizational data security policies may not receive widespread compliance in an HCO because employees may not perceive the risk of poor cybersecurity hygiene. An effective information awareness and training program must do more than simply transfer knowledge about proper behavior in cybersecurity. Incorporating behavioral science into training programs to change deeply rooted online habits is crucial in combating human-influenced breaches such as carelessness and phishing.³⁸, ³⁹, ⁴⁰ Technical safeguards should not be the only avenue to accomplish this goal; rather, it needs to be bolstered by the cyber vigilance of human elements.⁴¹ There is no one holy grail of countermeasures sufficient to prevent human risks that lead to cyberattacks. Each HCO must conduct its own risk assessment that accounts for resource constraints and the feasibility of such methods.⁴²

Our analysis of the data breaches in healthcare as reported to HHS has identified several contributing factors. As we have observed, many of the cases we analyzed involved unintentional insider threats, and these cases lead to significant loss and exposure of EHR. This analysis was informative in specifying directions for future research and areas to focus on in mitigating cyber-attacks.

Author Biographies

Liu Hua Yeo (lyeo@emich.edu) is a PhD candidate in cybersecurity at Eastern Michigan University. His research interests include risk factors in healthcare cybersecurity.

James Banfield (jbanfield@emich.edu) is an associate professor of cybersecurity at the School of Information Security and Applied Computing at Eastern Michigan University.