According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records.
With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate, but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of 5 percent or 10 percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
Safe guarding against healthcare data breaches is a proactive approach to protecting your practice, not a reactive one.
As has been noted recently by Healthcare It News, healthcare data breaches occur frequently, and as I have previously reported, most of them are inside jobs.
That aside (I’m not trying to dismiss the importance of this fact, just trying to move this piece along as I know your time is limited), many can be prevented by employing the proper information systems like two-factor authorization, but nevertheless, the costs of cleaning up after a breach is most more expensive than they are to prevent.
According to Healthcare IT News, healthcare data breaches are incredibly expensive procedures which are piled upon by investigations, notifications and follow up. With that, let’s take a look at some steps that you can take to safeguard against data breaches.
According to the magazine:
Cast a wide net: Ensure you assess your practice’s capabilities for dealing with a data breach. Establish a plan, bring in the practice’s appropriate leaders who can drive the practice forward and work to educate employees of the importance of data integrity. “This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers,” writes Healthcare IT News.
Here are a few additional points from the magazine’s report:
• establish protocols for tasks
• create timelines
• establish communication among the team to ensure everything runs as smoothly as possible.
Know thy data: Take stock of your data. Start with reviewing current and past projects, reviewing current documentation and how your practice typically gathers information. “One of the key components of any assessment is determining how personal health information (PHI) and electronic personal health information (EPHI) are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data.”
Address your practice’s vulnerabilities: Known or unknown, this is the time in which you begin to putting your plan in place. This is the point of your plan in which you push play.
Document everything: Since you’ll need everything in writing as part of the process, you’ve got to prepare by making sure all of your processes, data and processes are in writing. According to the magazine, “Not only do those reports then become a historical document for an organization’s administration to refer to in the future, they’re also proof that a provider has performed due diligence around responsibilities for storing confidential data.”
Follow up and engage often: Don’t just put a process in place, but follow up on it. Adjust the process as needed and address any potential red flags immediately. Not doing so is paramount to failure. Silence is consent and if you become aware of an issue that you don’t address essentially is guilt by association.
Check your progress: Take stock of your risk assessment on a regular basis, “especially after a change in technologies, administration, regulations, or business operations.”