November 29, 2016

Healthcare Security Breaches Aren’t Slowing Down

The healthcare sector is under attack around the world, but this past June was a banner month, particularly, for information thieves in the U.S.

While the numbers are skyrocketing what’s also interesting are the different kinds of healthcare data security breaches that keep occurring.

According to a HIPAA Journal report:

  • A cyber attack on a Florida-based health treatment provider netted over two million patients’ records.
  • Patient files fell from a vehicle transporting files to be incinerated in Florida exposing almost 500,000 patients’ protected health information (PHI).
  • Two unencrypted laptops – and over 600,000 health records - were stolen in California.
  • Files containing PHI of almost 114,000 patients were found in a recycling bin in Ohio.
  • In the biggest healthcare breach, a hacker posted a U.S. health insurer’s 9.3 million record database for sale on a Darknet marketplace.

In total, the number of breached health records in June was more than 11 million, according to the Protenus Breach Barometer. That’s more than five times as high as the total number of healthcare records exposed in the first five months of the year.

Further analysis by Protenus showed that while the first six months of 2016 averaged 25.3 breaches per month, the second half averaged 39.3 incidents per month by September – which is an increase of over 55%.

The Sixth Annual Benchmark Study on Privacy & Security on Healthcare Data by Ponemon and ID Experts told the same kind of story. The study showed that over the past two years, 89% of healthcare organizations and 60% of third parties to those organizations experienced data breaches. The total cost of data breaches to the healthcare industry was pegged at $6.2 billion – and that doesn’t include what experts say is the majority of breaches because they are small, under 500 records, and don’t have to be reported.

It all adds up to the importance of wide-reaching safeguards in all areas of healthcare organizations including these basic strategies to better manage internal threats and protect healthcare data.  

Employee training: An important theme in the 2016 Shred-it State of the Industry Report, employee training to reduce errors and improve information security has to be on-going and company-wide with both theoretic and practical information.

Mobile device policies: As mobile devices increasingly play a role in diagnosis, delivery and management of health care, safeguards must be in place. A mobile device policy should cover best practices in and out of the workplace. It should also provide sufficient budget for IT safeguards like data encryption.  

Regular data risk assessments: Identify areas of risk and improve information security best practices by doing an information security risk assessment regularly. For example, an organization may learn it should update its legacy systems – many experts say healthcare providers rely on outdated software systems patient record storage.  

Enforceable internal procedures: The Ponemon study pointed out that there are lots of ‘data touch’ points in healthcare organizations. A comprehensive Document Management Policy will improve patient information handling. Provide multilayered security programs. Implement a Clean Desk Policy. Partner with a reliable document destruction company for secure destruction of paper and digital information.

Understanding privacy laws in the healthcare sector is critical today. Here's what organizations need to know to stay compliant with HIPAA security standards and HITECH privacy rules.