Preventing a breach of confidentiality in healthcare requires layered defenses: technical controls like encryption and access restrictions, physical safeguards for devices and paper records, and consistent staff training. In 2024, 592 hacking incidents involving protected health information were reported to the Department of Health and Human Services, affecting a record 259 million Americans. The average healthcare breach now costs $10.93 million, nearly double the next most-affected industry. These numbers make clear that confidentiality isn’t just an ethical obligation; it’s an operational priority with enormous financial and legal consequences.
Why Healthcare Breaches Keep Happening
Healthcare is the most targeted industry for cyberattacks. In 2024 alone, 444 reported cyberthreat incidents hit the sector, including 238 ransomware attacks and 206 data breaches. The majority of ransomware attacks come from Russian-speaking groups that rely on social engineering, stolen login credentials, and unpatched software vulnerabilities to get in. But not every breach involves a sophisticated hacker. Many result from lost devices, misdirected emails, improper disposal of records, or staff members accessing patient files they have no reason to view.
Understanding these entry points is the first step toward closing them. The strategies below address each layer of vulnerability, from digital systems to paper charts to everyday human behavior.
Control Who Can Access Patient Records
The single most effective technical measure is restricting access so that each employee can only see the patient information relevant to their specific role. This principle, known as least privilege, means a billing specialist sees billing data, a nurse sees clinical notes for patients in their care, and a front-desk coordinator sees scheduling information. No one gets blanket access to everything.
Modern electronic health record systems support role-based access control, which groups staff by function and assigns permissions accordingly. More granular approaches go further, limiting access down to individual data fields or specific sections of a patient’s chart. The goal is the same regardless of the system: no one touches data they don’t need for their job. Review these access permissions regularly, especially when employees change roles or leave the organization, to prevent outdated permissions from lingering.
Every user should also have a unique login. Shared credentials make it impossible to trace who accessed what. Pair unique logins with automatic logoff after a period of inactivity so that an unattended workstation doesn’t become an open door.
Encrypt Data at Rest and in Transit
Encryption converts patient data into unreadable code that can only be unlocked with the right key. It needs to happen in two places: where data is stored (at rest) and where data is moving between systems (in transit).
For stored data, the National Institute of Standards and Technology recommends AES-256, a strong encryption standard used across government and finance. For data moving over a network, such as when a provider sends records to a specialist or a patient portal loads lab results, TLS (Transport Layer Security) is the standard protocol. TLS encrypts data as it travels so that anyone intercepting the transmission sees only gibberish.
Encryption matters most in breach scenarios. Under federal rules, if breached data was properly encrypted, the incident may not trigger notification requirements because the information is considered unusable to whoever accessed it.
Secure Mobile Devices and Workstations
Laptops, tablets, and smartphones are among the most common sources of breaches simply because they’re easy to lose or steal. The Department of Health and Human Services recommends several baseline controls for any mobile device that touches patient data:
- Multi-factor authentication: Require a second verification step beyond a password, such as a code sent to a phone or a biometric scan.
- Screen lock after inactivity: Devices should lock themselves after a short idle period, requiring re-authentication.
- Remote wipe capability: If a device is lost or stolen, IT staff need to erase its contents remotely before anyone can access the data.
- Password complexity requirements: Enforce strong passwords and periodic changes, with passwords masked during entry.
Staff should be required to report a lost or stolen device immediately so that remote wiping can happen before data is exposed. Even a few hours of delay can be the difference between a contained incident and a reportable breach.
Train Staff Regularly and Specifically
Technology only works if people use it correctly. Federal privacy rules require that every workforce member receive training on policies and procedures related to protected health information. A proposed update to the security rule would formalize what many organizations already consider best practice: role-based security awareness training before an employee ever touches patient data, then refresher training at least twice per year.
Effective training goes beyond reading a policy document. It covers real scenarios: how to spot phishing emails (the top entry point for ransomware), what to do if you accidentally send records to the wrong fax number, why looking up a celebrity patient’s chart is a fireable offense even if you don’t share the information, and how to verify a caller’s identity before releasing any details over the phone. Training should be tailored to each role. A radiology technician faces different risks than someone in medical records or a home health aide using a tablet in a patient’s living room.
Protect Physical Records and Disposal
Digital security gets most of the attention, but paper records, printed lab results, and old hard drives still cause breaches. Physical safeguards start with controlling who can enter areas where records are stored or accessed. Workstations displaying patient information should face away from public view, and printouts should never sit unattended on shared printers.
When it’s time to destroy records, the method matters. For paper documents and microfilm, cross-cut shredding should produce particles no larger than 1 mm by 5 mm. Alternatively, paper can be pulverized using a disintegrator with a security screen of 3/32 inch or smaller. CDs, DVDs, and old hard drives should be physically destroyed or incinerated at a licensed facility. Simply deleting files or tossing a disk in the trash is not sufficient, as data can be recovered from improperly discarded media.
Monitor Systems With Audit Controls
Prevention isn’t only about keeping people out. It’s also about knowing exactly what happens inside your systems. Federal security standards require organizations to implement mechanisms that record and examine activity in any system containing patient data. These audit logs track who accessed a record, when, and what they did with it.
Audit logs serve two purposes. First, they deter inappropriate access because staff know their activity is being tracked. Second, they allow you to detect a breach quickly. The faster you identify unauthorized access, the smaller the damage and the easier it is to meet reporting obligations. Organizations should review audit logs proactively, not just after a suspected incident, and flag anomalies like after-hours access, bulk downloads, or repeated views of records outside someone’s department.
Build a Breach Response Plan Before You Need One
Even with strong prevention, breaches can still occur. Having a tested response plan limits the damage and keeps you in compliance with strict federal timelines. After discovering a breach of unsecured protected health information, you must notify affected individuals within 60 days. If the breach affects 500 or more people, you must also notify the media and the Secretary of Health and Human Services within that same 60-day window. For smaller breaches affecting fewer than 500 individuals, reports to HHS can be filed annually, due within 60 days after the end of the calendar year.
Any business associate, such as a billing company or cloud storage provider, that discovers a breach must notify the covered entity within 60 days as well. Your response plan should spell out who is responsible for each notification, how affected patients will be contacted, and what steps will be taken to contain the breach and prevent recurrence. Run tabletop exercises at least annually so that the plan doesn’t just exist on paper.
Know When Disclosure Is Legally Permitted
Not every disclosure of patient information is a breach. Federal privacy rules allow certain disclosures without patient authorization, and understanding these exceptions prevents both over-sharing and unnecessary alarm.
Protected health information can be shared for public health activities: reporting communicable diseases to public health authorities, notifying someone exposed to a contagious illness, reporting adverse events to the FDA, and complying with workplace safety laws. Disclosures to law enforcement are also permitted under specific conditions, including court orders, efforts to locate a suspect or missing person, situations involving suspected criminal activity on healthcare premises, and medical emergencies where a provider needs to report a crime.
These exceptions are narrow and conditional. Staff should understand that a permitted disclosure still requires following the minimum necessary standard: share only what’s needed for the specific purpose and nothing more.
Manage Vendor and Business Associate Risk
Many breaches don’t originate inside a healthcare organization. They come through third-party vendors: billing services, IT contractors, cloud platforms, or even document shredding companies. Federal rules require written agreements with every business associate that handles protected health information, specifying how they’ll safeguard it and what happens if they experience a breach.
Don’t treat these agreements as paperwork formalities. Vet your vendors’ security practices before signing, require them to meet the same encryption and access control standards you follow internally, and include provisions for regular security assessments. A vendor’s weak security becomes your breach, your notification obligation, and your financial liability.