Don’t expect medical breaches and healthcare fraud to drop off the radar anytime soon. Here’s why.

First, the number of breaches in the industry is still escalating. In 2011, healthcare breaches occurred 32% more frequently than in 2010.¹

Second, the profitably of medical records on the black market is high – 192% more profitable than Social Security numbers. Estimates put the former at $50 and the latter at $1, according to a GovTech.com article.

It’s this frequency and profitability that, in part, help to ensure the continuation of data loss and fraud. The sooner the industry accepts and prepares for incidents, the better.

Healthcare organizations still have a lot to do in that regard. Forty-three percent rank their ability to counter internal and external data security threats as “needs improvement,” “poor” or “failing.”² And their actions – or lack thereof – can adversely affect patients. Medical identity theft can cost a consumer $20,663 to resolve.³

 So what exactly is compromising data security at healthcare organizations? In a recent study, most organizations (54%) agreed that a lack of budgetary resources dedicated to security and privacy is the greatest weakness in preventing a breach.⁴ The study also named the top three causes of data breaches as:

• Lost or stolen computing devices
• Third-party errors
• Unintentional employee actions⁵

Looking at the list, it’s clear that budgeting for security and privacy needs to encompass protecting mobile and other computing devices, training employees and verifying that third party partners uphold a high level of security as well.

Without a well-rounded approach to data security, organizations make themselves even more vulnerable at a time when vulnerability is a given. Organizations big and small can’t do without computers, third parties and employees – or at least two of the three. So the risk of a breach and resulting fraud can never be completely eradicated. Human error alone is impossible to eliminate.

But risks can be managed with a comprehensive plan that addresses a full spectrum of weaknesses and threats. A plan that includes access controls and encryption for sensitive data as well as a response guide to handling a data breach if one occurs.

[footnotes]

1. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
2. Healthcare Information Security Today (2011)
3. Second Annual National Study on Medical Identity Theft, Ponemon Institute (2011)
4. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
5. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)

Say goodbye to bulky manila folders. Today’s healthcare organizations are zipping through medical histories and writing prescriptions using mobile devices. But the new found convenience hasn’t been without cost – not just in implementing new systems and tools but in losing data when security measures aren’t implemented too.

A recent study suggests that adopting new technology is a far greater priority than securing it. Eighty-one percent of healthcare organizations are using mobile devices to “collect, store and/or transmit” protected health information (PHI) but 49% “do nothing” to protect the devices.

The lack of security has been detrimental. The same study found that the breach of protected health information (PHI) records increased 97% from 2010 to 2011.

While data loss is certainly a burden to organizations, mobile security doesn’t have to be. Here are four key considerations for mobile-equipped medical offices:

1. Encryption
   Consider the encryption capabilities of a device before you purchase, not after. Carefully choose tablets and phones that offer a high level of encryption across the various functions and facets, including removable storage, of the device. If your office is already mobile-equipped, be sure encryption is standard procedure.
2. Storage
   Think of a mobile device as a way to access data, not store it. A secure server or cloud network is more appropriate for a centralized storage location, to which your mobile devices can connect and disconnect. The latter function is essential, as the portability of a mobile device makes it both easier to lose and more attractive to thieves. According to the Department of Health and Human Services, stolen physical devices account for 71% of breached healthcare records. A missing device that’s online with your data bank poses a serious threat to you and your patients.
3. Access
   Mobile devices should be password-protected, and so should access to your data bank through the devices. Job requirements should determine what devices and passwords each employee in your office can access. Also consider whether bring your own device (BYOD), when employees use their personal devices to access work data, fits with your security approach.
4. Employees
   Don’t overlook the element of human error in your mobile security plan. In 2011, the volume of breached medical records resulting from an employee losing an unencrypted device jumped 525%. Since you can’t ever completely eliminate human error, be sure to train your employees on properly using and handling mobile devices, as well as reporting any loss, theft or signs that a device has been tampered with.

It’s safe to say that healthcare data is/are under attack. Breaches of medical records increased 97% from 2010 to 2011 according to HHS data. Statistics like that lend new urgency and importance to gatherings such as the upcoming HCCA 2012 Compliance Institute.

Be prepared: Does your organization observe security protocols and have controls in place to protect patient health information (PHI)?

Have a response plan ready to deploy: In the event of a data breach, the first thing to do is activate your response plan. In general, this plan spells out in great detail everything from who will lead the response team to step-by-step processes for sending out notifications, customer care and more.

Evaluate your situation post-breach: Once you’ve weathered the storm of a data breach and its consequences, take time to review the ways your organization responded and grade your response plan. This is also the time to make changes, small and substantial, to the response plan and implement any other protections or processes that you feel would improve your readiness and ability to respond in the event of another incident.

Look for Experian at the 2012 Compliance Institute in Las Vegas from April 29 to May 1. It’s a great opportunity to immerse yourself in solutions for preventing and managing data breaches, as well as meet experts who can help your organization be better prepared in the event of an incident.

Legislation has been introduced in Congress to crack down on Medicare and Medicaid fraud. This legislation comes at a time when incidents of medical fraud are on the rise and the Obama Administration is poised to role out sweeping healthcare reform.  Medical fraud is estimated to cost the U.S. health care system $100 billion a year.

The new rules will give federal health officials key powers to detect fraud early and prevent improper payments from being made.  For example, medical provider employees will be subject to fingerprinting, payments will be suspended to health organizations that are under investigation and medical programs will be required to stop using providers kicked out of Medicare or Medicaid programs.

These rules have serious implications for the health care industry that must also comply with stringent new HITECH rules. As I mentioned in a previous blog entry, some professionals feel the best way to comply with the new requirements is to be proactive.  For example, providers should consider actively working with their vendors to ensure all parties comply with the new standards.

Another recommendation is to conduct an internal risk assessment. A thorough assessment can identify where a business is not complying with the HITECH Act or HIPAA standards and provide an opportunity to make the right adjustments. Non-compliance can result in up to $1.5 million in fines or even civil action from a State Attorney General.

Learn more about risk assessments and act now before it’s too late.

Recently I addressed the importance of having plans in place to protect personal health information in light of the sharp increase in healthcare data breaches.  Unfortunately, research studies are finding that incidents of fraud resulting from exposed healthcare data are on the rise. A recent Javelin Strategy and Research study noted that fraud resulting from exposed health data has more than doubled over the past year.

This sharp spike is due to the extensive personal information available on an individual’s health record.  According to a recent RSA Online Fraud Report, the types of fraud that can be committed using full information profiles are limitless. Not only is the individual a potential victim, the healthcare providers, insurers and the pharmaceutical companies are as well.

The RSA Report sites examples where a cybercriminal steals personal health information (PHI) to file false patient claims to an insurer.  A second example includes making false prescription orders to fuel the underground prescription drug trade.  Unfortunately, the consumer whose PHI is being abused may incur damages beyond being a victim of someone stealing their medical information.  Consumers may come under criminal investigation for defrauding the insurer or buying prescriptions illegally.  That doesn’t sound fair, does it?

It is of paramount importance to develop policies to deter and detect data breach threats.  However, it is of equal importance to keep customers informed of how to protect their health privacy themselves. National Cyber Security Awareness Month begins October 1 this year. Please consider informing your clients and customers of how they can remain safe online.

Just as the healthcare industry came up to speed on the regulations defined in The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, additional modifications are being proposed. These proposed rules focus on expanding obligations and penalties for covered entities (CEs) to now include business associates (BAs).

So why is this significant? For two reasons. First, combined with the HITECH Act, the new rules will expand both the application of certain HIPAA Security and Privacy requirements and penalties to business associates.  Secondly, the proposal expands the definition of BA to include subcontractors who handle health information. Subcontractors would be considered BAs and are subject to direct liability under the HIPAA rules.

Many provider networks, physician practices and insurance plans work with outside vendors to manage their businesses and patient health information.  Many of these providers are BAs who use sub-contractors.  Under the proposed new regulations, these subcontractors must also be HIPAA compliant and follow the HITECH regulations or face penalties. This also means that CEs could be held liable when a BA does not comply.

How well does your company know its business associates…and the businesses that they do business with? As health care organizations expand their operations, it is imperative that due diligence is performed to avoid potential liability stemming from non-compliant vendors.  Some privacy professionals feel the best way to prevent liability under the new requirements is to be proactive about adhering to compliance standards.

Companies should consider actively working with their vendors to address the stringent HITECH requirements and ensure that anyone that falls under the BA category is aware of the full implications as it relates to HITECH and HIPAA.  The more proactive you are the better chance you have of avoiding potentially heavy fines due to the ignorance of a BA that was not aware of the law.

According to a recent study by the Identity Theft Resource Center, data breaches in the healthcare sector are occurring at a higher rate than in other industries.  The study found that of the 385 data breaches that occurred in the U.S. in the first half of 2010, 30% of those affected were healthcare providers.  In comparison, data breaches reported in banking and other financial institutions for the same time period totaled 10%.

What is the cause of this large discrepancy between industries?  According to commentary provided by eSecurity Planet, the increase may be due to the many different types of workers that have access to areas in healthcare organizations buildings where sensitive data is stored. This unrestricted access provides an opportunity for unauthorized employees to access laptops, USB drives or desktops with sensitive information from areas that are far less secure than at a bank or other financial institutions.

This sharp increase has caught the attention of the US Congress that is set to approve $1.7 billion to fight healthcare fraud. A large portion of that spend will go towards creating fraud “task forces” in up to 20 cities across the U.S. Watchdog groups and patient privacy advocates are also putting pressure on healthcare organizations to protect patient’s medical records and personal information especially as patient records become digital and are stored by third parties.

Deterring and detecting data breach threats does not happen by chance.  Now more than ever, it is important for healthcare companies to take advantage of proven data security solutions and to develop policies, like those used in other industries, to help protect patient data.