In the U.S., the healthcare industry remains vulnerable to data breaches affecting millions of American patients as of 2015. Hackers have stolen sensitive data such as identity, credit card and healthcare information from electronic databases, leaving concerned individuals vulnerable to identity theft and fraud. The lure of healthcare data is simple – personal information and healthcare records are 10 times more valuable than credit card information, thus making them lucrative targets for hackers. Fortunately, there are solutions available that healthcare organizations can use to avoid the risks these types of vulnerabilities present.
Healthcare Data Breach Statistics
The HITECH (Health Information Technology for Economic and Clinical Health) Act was signed into law in 2009 to encourage the meaningful use of electronic records. Since then, over 40 million patients have reported being affected by the breach. In 2014, 9 million health records were exposed in over 160 data breaches, and about 1,170 large breaches affecting Protected Health Information has occurred.
Criminal attacks are the top reasons why data breaches occur. More than half of the breaches happened as a result of exposure to hackers while the rest were stolen, obtained through unauthorized access or through a server. In 2014, research shows that hacking attacks increased by 600% on hospitals, thereby raising the risk of exposure of patients’ data.
Causes of Data Breaches
The transition of patient records from paper to electronic data has made snooping around for healthcare information that much easier for hackers and other unscrupulous individuals. Turning documents that could be kept under physical lock and key into electronic data has exposed a number of vulnerabilities that are now being exploited and taken advantage of by criminals.
The attacks are not about to subside. By far, nearly 60% of American hospitals use some sort of EHR (Electronic Health Record) system, and about 65% have reported security incidents involving their electronic information. Vulnerabilities in existing software can also render electronic databases weak to attackers who simply exploit any issues they find for their benefit.
Other causes of data breaches are spear-phishing and malware attacks, particularly among hospitals whose data can be accessed online. However, majority of hospitals report that exposure to data breaches usually occur because of stolen or lost devices used in-house.
Who is Affected?
Patients whose healthcare records have been electronically stored and processed have the highest risk. By far, records of patients’ names, dates of birth, addresses, contact numbers, e-mail addresses and other sensitive data such as personal, employment and income information, member IDs and social security numbers are considered the most sought-after among hackers.
Also vulnerable to data breaches are health insurance companies. In March 2011, for example, the records of 11 million people were hacked from the files of Premera Blue Cross. In September of the same year, the records of nearly 5 million military personnel were also exposed. The biggest breach so far occurred in January 2015 when Anthem Health Insurance got hacked, putting the records of nearly 79 million people at risk.
The Cost of Healthcare Breaches
Lost data can have a number of repercussions and the consequences of getting patient’s personal and medical records stolen can be costly. Hospitals and medical institutions, for example, have to spend for regulatory fines, notification expenses, identity theft repair, credit monitoring, and disruptions in business operations. There are also the expenses associated with lost business in case disgruntled patients seek treatment from other hospitals, investigations, remediation and even class-action lawsuits. In figures, health organizations could expect to spend an average of $200 for every lost record and over $2 million for every incident of data breach. Over all, it costs the healthcare industry about $5.6 billion a year to rectify and manage lost and stolen records.
Learning How to Prevent Data Breach
Prevention is still the best way to prevent medical data breach. Surprisingly, in spite of the threat of hacking, only about 40% of healthcare organizations expressed concern about computer-based attacks and less than half agree that they have technologies in place to prevent or detect possible problems.
More than half of organizations believe that proper procedures and policies should be designed and implemented to prevent and identify potential threat, such as unauthorized access to data, theft or loss. However, only about 53% of organizations have personnel who have the technical expertise and know-how to detect and identify data breaches, and provide immediate solutions to the problem.
How Organizations Face the Problem
About half of healthcare organizations in the country use a 4-factor risk assessment in case of a security incident involving electronic data. Still, majority of organizations use just 20% or even less of their security budget for incident response to data breaches. The team primarily responsible for managing any problem of this nature usually comprise of staff members from IT, Information Security, Compliance, Privacy Office, Human Resources, Risk Management and Security.
Preventing the Problem
There is no solution that can guarantee 100% protection against data breaches. However, there are steps that healthcare organizations can take to increase their protection and prevent easy access to data. These include:
- Conducting regular assessments of IT systems to improve security policies, review threats, and identify risks and vulnerabilities.
- Hire IT specialists with the right background to handle the job, and provide training and development opportunities to in-house IT staff.
- Ensure that all employees are aware of and understand HIPAA and state rules and regulations regarding patient information privacy.
- Create and promote a culture of security and awareness among employees to encourage them to proactively protect patient information and records.
- Encrypt patient medical data that are stored or can be accessed through servers, hospital computers, medical and mobile devices.
- Keep networks dedicated for medical applications and devices secure and use sub-networks for use and access by guests and non-medical personnel.
- Impose level access limitations so personnel can only access data pertinent to their jobs.
- Healthcare organizations should maintain ownership of patient data, not CSPs (cloud service providers). Data should also be easy to access in a reliable and secure environment.
- Business associates should be held accountable for risk and security assessments. Processes for identifying and reporting breaches must also be developed.
- Establish reliable legal support to manage investigations, fines and lawsuits in case a data breach does occur.
Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
Norwich University’s online Master of Science in Nursing program helps students hone their knowledge and skills to assume leadership positions in informatics, healthcare systems or nursing education. The program aims to develop students who could take a role in shaping health policy, in educating other nurses and healthcare professionals, and in providing advanced care to their patients. Norwich’s online nursing program coursework has been developed based on guidelines by the American Association of Colleges of Nursing, and the program is accredited by the Commission on Collegiate Nursing Education.