On-the-Spot Intervention 95% Effective in Reducing Healthcare Employees’ Unauthorized Access to Protected Health Information (PHI)

By April 13, 2022 June 9th, 2022 News

Protenus is pleased to announce a recent study found that on-the-spot interventions for healthcare employees who inappropriately accessed PHI were 95% effective in preventing repeat offenses. The article, “Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial” by authors Dr. John (Xuefeng) Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University; Nick Culbertson, CEO and Co-Founder of Protenus; and Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School, was published on JAMA Network Open yesterday.

Insider data breaches are no small matter for healthcare organizations, especially large academic medical centers like the one in the trial. 92% of combined small and large breaches in 2019 were tied to unauthorized access, according to publicly available U.S. Department of Health & Human Services (HHS) data. Typically, organizations focus on the low-volume, high-risk events like VIP patient privacy violations that often go public, rather than the high-volume, low-risk events such as access to a family member’s information or self-access, which can be just as violating to the patient.

In the case of small compliance teams or limited staff resources, it’s easy to miss all the benign or smaller events, but those often turn into bigger offenses over time. Says Nick Culbertson, “If you just wait for a big event, you’re going to miss the preventable small actions that can escalate into higher risk violations. Prevention is the most effective strategy. And that’s what we do at Protenus — working to eliminate risk, not waiting for it to happen.”

The researchers hypothesized that education could help stop first-time offenders from further violations. Through their trial, they uncovered supporting evidence that this was indeed the case. “What an email warning can do to deter employees’ unauthorized access is stunning. A simple email can lead to big changes,” says Dr. Ge Bai — an outcome that confirms the power of technology in supporting the proven hypothesis.

With healthcare constantly under attack by cybercriminals, it’s encouraging that the risk from insider events can be greatly mitigated. Dr. John (Xuefeng) Jiang says, “In my previous work, we found more than half of the healthcare data breaches were caused by providers’ internal mistakes or neglect. So I was thrilled to find out that a simple email warning could significantly reduce these internal mistakes. I look forward to working with Nick and Protenus to uncover other solutions to the cybersecurity challenges in healthcare.”

If allowed to go unchecked, healthcare employees committing unauthorized access to protected health information present a huge financial and reputational risk to the organization and most importantly, its patients. To learn more about how data breaches are affecting the healthcare industry, download the 2022 Breach Barometer from Protenus.