Everyone Onboard: Applying the “Outbreak Prevention” Approach to PHI and ePHI

by ih-coc admin

Most expenditures undertaken by covered entities and/or their business associates to ensure compliance with the HIPAA Security Rule are related to network security, data storage, and endpoint access. However, while the big data breaches that garner media coverage are often the result of cybersecurity crimes, via ransomware or hacking, the more common data breaches have been found to take place due to well-intentioned but misplaced internal sharing, undertaken by authorized employees of the organization.

The Summer 2018 Cybersecurity and Risk Awareness Survey was undertaken and published by Spanning Cloud Apps, LLC., a well-recognized provider of backup and recovery for major platforms that offer HIPAA-compliant services such as Microsoft 365, G Suite, and Salesforce. According to the findings of this survey, while a majority (8 out of 10) U.S. workers are risk averse (spanning.com), meaning that they refrain from clicking on unrecognizable links, avoid sharing their passwords via email or text, and use a combination of symbols, numbers, and alphabets to create passwords, a comparatively high number of these same surveyed workers engage in everyday behaviors that ultimately do undermine an organization’s compliance with the HIPAA Security rule, such as:

Online Shopping

According to the Spanning Survey, “More than 52 percent of all employees and 62 percent of admin holders polled” admitted to undertaking online shopping from their work computer (spanning.com). 30% of these respondents also demonstrated their inability to clearly “identify an unsecure ecommerce website,” and over 50% of those who were able to demonstrate their ability to identify an unsecure website, did not choose a broken padlock as a key indicator of the same (spanning.com). This is troubling, because the difference between “http” and “https” is considered to be universally communicated through the use of locked and unlocked/broken padlock icons that can be noticed in a website’s address bar.

Phishing Emails

The same survey underscored the fact that most employees at U.S. organizations are vulnerable to phishing links sent via email. Only 36% were able to recognize a phishing links as suspicious.

The Politeness Flaw

“Almost half” of the respondents to the Spanning Survey stated that if asked by a colleague, they would share their work computer or access to the same, to help their colleague to meet a deadline or overcome a technical issue they were facing with their own computer. According to survey findings, “amongst those with administrative access, only 35 percent said they would refuse to allow a colleague to access their device” (spanning.com).

According to HHS, “A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable, so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI” (HHS.gov)

Findings like those uncovered by the Spanning Survey can empower covered entities and business associates to undertake an “Outbreak Prevention” approach to compliance training, engaging their employees with easy-to-learn risk aversion behaviors that begin and end with their daily interactions with IT and data at work. These everyday behaviors would allow an organization to improve its compliance internally and proactively, versus leaving their data security department to react to breaches after the fact.


HHS.gov (2013). “Summary of the HIPAA Security Rule” Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Spanning.com (2018). “Trends in U.S. Worker Cyber Risk-Aversion and Threat Preparedness” Retrieved from https://spanning.com/resources/reports/trends-us-worker-cyber-risk-aversion-threat-preparedness/