As far as data security goes, 2011 was a dismal year. Relentless, high-profile breaches punctured any sense that hack attacks are a remote threat, and by year’s end it was clear (if it wasn’t before) that protection against security disaster can only come from the most rigorous breach defense.
Unfortunately, disaster is exactly what has befallen the healthcare industry. As health care regulations like HIPPA have become more pervasive, and healthcare records have increasingly moved online, the healthcare field has become a larger target of hackers and fraudsters while also becoming more vulnerable to breach by accident (such as a lost laptop). That’s why health data breaches were up a whopping 97% last year, according to Redspin’s 2011 PHI Breach Analysis Report, with 19 million patients’ health records affected, with 59% of all breaches involved a business associate.
The increasing use of portable devices, such as tablets, has not kept up with security policies to protect new technologies and systems (such as electronic health records) against data breaches. Of 385 breaches of protected health information during this period, 39% occurred on a laptop or other portable device, 25% occurred on a desktop PC or server, and 60% resulted from malicious intent such as theft or hacking.
The rise of healthcare data breaches have been a known problem. Last year’s Ponemon Institute’s Second Annual Survey on Medical Identity Theft estimated that more than 1.49 million Americans had at that point been targeted by this crime. With an average cost per victim of $20,663 the total national economic impact of medical identity theft crimes was calculated to be in excess of $30 billion.
Some of the key takeaways from the Redspin report:
● The federal government should update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule so that healthcare providers have more relevant and practical guidance.
● Healthcare providers should conduct a HIPAA security risk analysis on an annual or, at the least, bi-annual basis and put a plan in place to address any vulnerabilities found.
● Hospitals should conduct a specific “portfolio” risk analysis of the numerous vendors, contractors, and consultants they work with to focus on the subset of business associates that present a high risk of potential damage from data breaches.
● Healthcare providers must make their employees more security-conscious.
Consumers need to do what they can to protect their own health information, but healthcare organizations must mount vigorous defenses to ward off data breaches and implement incident response plans to quickly address breaches when they happen.