An alarming 1 in 3 healthcare recipients in the United States will be the victim of a healthcare data breach this year, according to the research group, IDC Health Insights.
Why is healthcare data such a target?
First, online reports show that it’s worth up to 10 to 20 times more than credit cards on the black market (selling for $10 each). Plus, medical information, compared to credit card fraud, can be used in different ways – to access bank accounts, defraud insurers and government, and obtain prescriptions.
There’s also lots of personal health information (PHI) available. More and more health records are being digitized. Also, the range of wearable technologies in healthcare continues to grow.
Unfortunately, healthcare organizations are being warned that their cyber security is lax – and more vulnerable than other sectors to attacks.
In 2015, over 112 million records were exposed in 254 healthcare breaches, according to the Office of Civil Rights (OCR).
The 2015 Cost of Data Breach Study showed that the average per patient cost of a data breach was $398, the highest across all industries.
Here are technical safeguards and security policies that can help prevent data breaches.
- Risk Assessment: Healthcare organizations should conduct a risk assessment of IT systems to identify security vulnerabilities. For example, there should be separate networks for public use and sensitive patient information.
- Penetration Proctection: Use anti-malware software to detect malware in healthcare worker devices. Vulnerability management and patching will close security holes. A good firewall will defend against malware too.
- Training: Educate healthcare workers on Health Insurance Portability and Accountability Act (HIPAA) rules and regulations, and other privacy laws. Provide practical training too. For example, employees should know about phishing scams. Intruders pose as legitimate organizations and try to lure recipients into clicking on a link or opening a document – which downloads a virus.
- Control Access: Different members of a healthcare team will need to access patient information. Users at each level should only have access to information that is pertinent to their job. There should be unique user ID protocols, automatic logoff, passwords, and other cyber security controls.
- Monitoring: Employees should physically protect electronic devices and/or paper records that contain PHI too. While a Clean Desk Policy can help, it is sometimes impossible in a healthcare setting to keep work areas clear. Never leave devices or records unattended. A strict mobile device policy should specify out-of-workplace procedures.
- Encryption: Encrypt data in motion (data being sent from one device to another) and at rest (stored on electronic devices). Encryption codes information, and requires a proper encryption key. If information or devices are stolen, thieves will not be able to access information.
- Physical Safeguards: Limit physical access to facilities where health IT is housed. All hard drives and e-media should be securely destroyed when they are being replaced and/or updated. Partner with a document destruction expert that provides secure on- and off-site services.
Healthcare security best practices can help health organizations avoid all the costs of a data breach – HIPAA fines and other compliance costs as well as damage to reputation and patient trust.