January 07, 2016

5 Big Surprises in Healthcare Security

healthcare security strategies
Two new reports uncovered a few surprises about health data breaches – and underlined the fact that you can’t paint all data breaches with the same brush.

Protected Health Information (PHI) is highly coveted by today’s cyber criminals, said Suzanne Widup of Verizon, which released the 2015 Protected Health Information Data Breach Report. Detailed health records make it easier for criminals to commit identity theft and medical billing fraud.

Here is what research showed about healthcare security and data breaches:

Not just Healthcare Industries: The Verizon report showed that 90% of the industries studied have experienced health data breaches. In fact, many organizations outside of the healthcare sector collect protected health information (in employee records or wellness program data, for example). Another study, the State of Healthcare Information Security 2015 survey showed that business associates taking inadequate security precautions with PHI are a threat too.

By the Numbers: Verizon reviewed 1,931 incidents from 25 countries comprising at least 392 million patient records. But the total number of compromised records might be much higher – 24% of breached organizations did not provide the exact number of records involved. Verizon also reported that nearly half of the population of the U.S. has been impacted by breaches of PHI since 2009.

Physical Breaches the Most Common: The Verizon data showed that lost or stolen assets, privilege misuse, and miscellaneous errors such as information misplacement, disposal errors, and publishing mistakes, caused 86% of all breaches of PHI data. 

People, not Hacks: The State of Healthcare survey showed that human error – and often insider misuse – was responsible for more breaches than hackers in healthcare. “We spend millions on new technology, countless hours on policy writing, and engage all stakeholders to enhance their awareness,” wrote Dr. John D. Halamka in a medcitynews.com post. “Yet, we’re as vulnerable as our most gullible employee.”

The Effect on Consumers: Researchers have noted that consumers are starting to withhold information from healthcare providers because they’re concerned there could be a data breach. This could have serious implications – such as a delay in diagnosing a communicable disease.  

What are information security best practices for organizations that handle health information?

  1. Understand requirements of both HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Healthcare Information Technology for Economic and Clinical Health Act). 
  2. Implement a security strategy, and put it in writing. The State of Healthcare report showed that only 57% of healthcare organizations have a documented information security strategy.
  3. Increase and improve employee training on privacy and security issues.
  4. Implement early detection tools such as intrusion/misuse detection.
  5. Update business continuity and disaster recovery plans.
  6. Implement mobile device security policies and procedures including encryption and other end point protection. 
  7. Check that any vendors or third-parties have done appropriate healthcare IT risk analysis, and that they are properly safeguarding your PHI too.
  8. Partner with a reliable document destruction company that has a secure chain of custody and helps you comply with the latest legislation.

Today all industries must have a comprehensive document management process that protects PHI from document creation to document disposal.