Privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act require healthcare organizations to protect all personal health information (PHI).
But that doesn’t mean the health data is safe.
Almost every organization in the 2014 Benchmark Study on Patient Privacy & Data Security by Ponemon experienced a healthcare data breach. In fact, criminal attacks on healthcare systems have risen 100% since Ponemon first conducted the study in 2010.
The stats aren't going to change any time soon, according to the Experian 2015 Second Annual Data Breach Industry Forecast. It concludes that healthcare breaches will continue to increase due to the potential economic gain (PHI is worth a lot to cybercriminals), digitization of medical records (a lot of health information is moving about) and the wearable technologies trend (it added many more individuals to healthcare systems).
What happens when a healthcare organization is the victim of a data breach?
- It can cost a lot. While the Ponemon study estimated that the potential cost to the healthcare industry could reach $5.6 billion annually, the cost to a healthcare facility ranges from less than $10,000 to over $1 million. This includes HIPAA and other fines as well as damages awarded to victims in court.
- Reputation takes a nosedive. According to the Ponemon 2014 Cost of Data Breach: Global Analysis, the loss of reputation and customer loyalty can do the most damage. The healthcare industry experiences high customer turnover after a breach. For these reasons, companies will likely have to invest in regaining their brand image.
- It’s simply bad news. Covered entities must provide notification to everyone who is potentially affected within a certain amount of time. As required by HITECH, breaches affecting 500 or more must also be posted at a breach portal. Unfortunately, when breaches make the headlines it’s usually comes across as bad news for the healthcare facility.
- Security improvements are a must. According to Experian’s Data Breach Industry Forecast, “healthcare organizations will need to step up their security posture and data breach preparedness.” A regular security audit can identify weak points. Safeguard the company network with password protection, two-step authentication, encryption, and other data loss prevention.
- Put a mobile policy in place. Did you know that most healthcare organizations allow employees to use their own mobile devices? But 90% of Android healthcare/medical applications have been hacked, according to the State of Mobile App Security Report. Every workplace should have a comprehensive mobile policy that regulates applications, provides device protection, and teaches employees smart work habits.
- It’s not just an IT problem. “An unlocked door or a misplaced backup disk will result in a potential data breach,” said Bill Kleyman in a post at heathitsecurity.com. Improve physical security with better camera systems, controlled access to the workplace, and safer data warehousing. Partner with a document shredding company for secure paper and hard drive and e-media destruction. Train staff about privacy rules and regulations. Be sure supply chain partners have similar security standards too.
Find out why a Document Management policy is one of the most important ways to protect health data in your workplace.