Data Breach Remains a Top Concern in Health Care Industry
posted Apr 17, 2017 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Health care organizations and their business partners must report data breaches that affect 500 people or more to the U.S. Department of Health and Human Services (HHS) no later than 60 days after an incident occurs. Since the HHS database started tracking this data in 2009, more than 171 million patient records have been lost or stolen. Many additional breaches have occurred that are too small to be included in the HHS database.
The Ponemon Institute, a security firm, estimates that data breaches cost U.S. health care entities an average of $402 per lost or stolen record in 2016 (compared to an average cost of $221 per record for all industries). Here’s a closer look at why health care records are especially vulnerable to data breach and how organizations can minimize their losses.
Targeting Health Care
Under the Health Insurance Portability and Accountability Act (HIPAA), a breach is “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Most breaches are tied to theft, data loss, hacking, malware and other unauthorized access to accounts.
Entities of all size and industry classification codes can become victims of data breach. But health data tends to be more valuable to thieves than credit card information because it can be used to access bank accounts and obtain prescriptions for controlled substances.
Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data estimates that about 90% of health care organizations have suffered a breach in the past two years — and half of these breaches were the result of a criminal attack, including 13% by malicious insiders.
Gauging Security Practices
The first step to minimize the risk of data breach is to identify all areas of potential vulnerability, including:
- A lack of skilled people,
- Inadequate budget to detect or manage data breaches,
- External business partners with weak security controls,
- Insecure mobile devices and cloud computing, and
- Negligent or malicious employees.
In the event that a breach occurs, two-thirds of health care companies surveyed by Ponemon don’t offer any protection services for breach victims or have processes in place for correcting errors in victims’ records. Only one-third of respondents had purchased cyber breach insurance — and even fewer added coverage for breach response services.
Once weaknesses have been identified, the next step is to fortify the organization’s premises, records and equipment. For example, install physical security measures, such as locks, security cameras and shredders to ensure data is securely disposed of. Also, encrypt all devices that carry protected health information (PHI), including desktops, laptops, tablets, smartphones, memory sticks and centralized servers. Loss or theft of such devices is one of the most common breach risks, and encryption is the best defense.
Training is another critical step. Health care staff should understand how to safeguard PHI in accordance with HIPAA policies and how to respond to patients in case a breach occurs. Expect your business partners to follow the same proactive security measures.
Diagnosing and fixing data security vulnerabilities isn’t something management can do once and forget about. Fighting a data breach is an ongoing battle against company insiders and outsiders who may be negligent, untrained or downright malicious. Contact us for help ramping up internal controls to help protect patient records, investigating breaches and responding in a timely, proactive manner.