Now that data breaches are becoming so common among providers, hospital leaders have to learn from the mistakes of others if they want to protect their own systems.

This is especially important since hackers and cyberattacks are now the leading cause of data breaches in health care.

Finding out where others skimped on security can help hospitals create more effective protection for their own systems and patients’ protected health information (PHI).

And two recent breaches at government offices give providers good insight on steps their own facilities need to be taking.

Lessons from the OPM

Recently, the Office of Personnel Management (OPM) experienced a breach due to a cyberattack and a lack of security provisions. The attack exposed the information of 4 million federal employees, and the event is being linked to similar attacks on Anthem and Premera.

Now, a new report commissioned by Congress and performed by the Institute for Critical Infrastructure Technology highlights some of the areas where the OPM’s security fell short, as HealthITSecurity reports.

For example, Parham Eftekhari, co-founder of the institute, points out that the OPM didn’t have a multi-layered security system in place. This system lets organizations defend against outside intruders, and gives them a better chance to discover attacks before PHI is exposed if a hacker is able to infiltrate the system.

He also noted that the agency lacked a solid cybersecurity strategy in place, particularly to govern data and access credentials. According to Eftekhari, the OPM should have had policies in place to address regularly changing passwords, and manage and disable employee accounts when a worker leaves the organization.

The OPM needed wider use of encryption to protect data. For example, Eftekhari recommends facilities consider using split-key encryption, where half of the access keys go to the organization and the other half stays with the vendor, in addition to typical device encryption.

The report highlights that, regardless of an organizations’ size and access to resources, certain security precautions must be implemented. These steps are especially important as hospitals continue to implement new health IT and expand the number of locations where PHI is accessed and stored.

Keeping up with security maintenance

A Colorado State agency also recently experienced a breach due to an IT area which had become outdated.

As Health IT News reports, the Colorado Department of Health Care Policy recently exposed the PHI of nearly 3,000 residents after a technical glitch.

A “very old code” in the agency’s record system exposed a vulnerability, causing a glitch when it was finally updated. That glitch then inadvertently sent out letters with people’s PHI to the wrong households.

Several healthcare facilities have also been penalized for similar breaches, and the cost for these kinds of errors is often steep.

Last year, New York Prsbyterian Hospital and Columbia University Medical Center agreed to settle a similar HIPAA violation for a record setting $4.8 million after 7,000 patients’ PHI was accidentally put on Google.

These kinds of incidents highlight the importance of routine system maintenance, such as upgrade and security patch management. However, many health organizations lack the resources to manually oversee this task on top of addressing other security and health IT issues.

In these cases, facilities’ best bet is to consider finding ways or systems that can automate these processes, freeing staff for other projects.