Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

The latest Ponemon Institute Medical Identity Theft survey reflects the classic good news, bad news scenario. The good news is that more consumers understand how medical identity theft happens, and the importance of checking healthcare invoices and records for accuracy. The bad news is that the victim count has hit an all-time high (nearly 2 million annually), while breach frequency and financial damages continue
to rise, unabated.   

Losses up 44% from 2010

Data extrapolated for 2012 reveals that losses from medical identity theft will top $40 billion, up 34% from last year and 44% from 2010. During any given hour thieves using pilfered credentials will steal nearly $5 million worth of medical services, equipment and prescriptions.

The survey also revealed:

• Higher costs for recovery and resolution: victims pay on average $22,346
  (up 10% from 2011) to resolve medical identity theft, including the cost of identity theft protection and retaining legal counsel
• Difficulty knowing when the crime occurred: one quarter of those asked did not know when their medical identity was stolen, while 34% said it took more than a year to find out
• Collection letters still top the list: though more consumers learn of medical identity theft from suspicious statement or invoice entries, nearly 40% of victims first hear of their misfortune through collection letters

In a subtle but potentially instructive revelation, just 4% of survey respondents said a healthcare provider or insurance company notified them of the theft.  

Providers beware

So how is all this flavoring consumers’ attitudes toward healthcare and insurance providers? The biggest non-financial consequence, according to Ponemon, is a loss of trust and confidence. If people perceive a lack of effective data safeguards, most (58%) feel no compunction about going elsewhere for services. If their medical records were ever lost or stolen 56% of respondents would also feel justified making a change.  

Watch the vital signs

The top three actions desired by victims following medical identity theft include: reimbursement for the costs of changing providers; prompt notification of the loss or theft; and free identity theft protection for at least one year. (Hint: Providers can use these survey insights to develop post-breach strategies and programs aimed at reestablishing trust and confidence.)  

Employers can also play a role in medical identity theft awareness by encouraging (and if needed, teaching) employees how to:

• Keep medical information private
• Regularly check medical records for accuracy (57% of those surveyed don’t)
• Be more proactive about monitoring statements and charges
• Review and interpret credit reports
• Engage an identity theft protection service

Bottom line? When it comes to medical identity theft, vigilance is good medicine–for consumers and healthcare providers alike.

Don’t expect medical breaches and healthcare fraud to drop off the radar anytime soon. Here’s why.

First, the number of breaches in the industry is still escalating. In 2011, healthcare breaches occurred 32% more frequently than in 2010.¹

Second, the profitably of medical records on the black market is high – 192% more profitable than Social Security numbers. Estimates put the former at $50 and the latter at $1, according to a GovTech.com article.

It’s this frequency and profitability that, in part, help to ensure the continuation of data loss and fraud. The sooner the industry accepts and prepares for incidents, the better.

Healthcare organizations still have a lot to do in that regard. Forty-three percent rank their ability to counter internal and external data security threats as “needs improvement,” “poor” or “failing.”² And their actions – or lack thereof – can adversely affect patients. Medical identity theft can cost a consumer $20,663 to resolve.³

 So what exactly is compromising data security at healthcare organizations? In a recent study, most organizations (54%) agreed that a lack of budgetary resources dedicated to security and privacy is the greatest weakness in preventing a breach.⁴ The study also named the top three causes of data breaches as:

• Lost or stolen computing devices
• Third-party errors
• Unintentional employee actions⁵

Looking at the list, it’s clear that budgeting for security and privacy needs to encompass protecting mobile and other computing devices, training employees and verifying that third party partners uphold a high level of security as well.

Without a well-rounded approach to data security, organizations make themselves even more vulnerable at a time when vulnerability is a given. Organizations big and small can’t do without computers, third parties and employees – or at least two of the three. So the risk of a breach and resulting fraud can never be completely eradicated. Human error alone is impossible to eliminate.

But risks can be managed with a comprehensive plan that addresses a full spectrum of weaknesses and threats. A plan that includes access controls and encryption for sensitive data as well as a response guide to handling a data breach if one occurs.

[footnotes]

1. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
2. Healthcare Information Security Today (2011)
3. Second Annual National Study on Medical Identity Theft, Ponemon Institute (2011)
4. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
5. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)

Say goodbye to bulky manila folders. Today’s healthcare organizations are zipping through medical histories and writing prescriptions using mobile devices. But the new found convenience hasn’t been without cost – not just in implementing new systems and tools but in losing data when security measures aren’t implemented too.

A recent study suggests that adopting new technology is a far greater priority than securing it. Eighty-one percent of healthcare organizations are using mobile devices to “collect, store and/or transmit” protected health information (PHI) but 49% “do nothing” to protect the devices.

The lack of security has been detrimental. The same study found that the breach of protected health information (PHI) records increased 97% from 2010 to 2011.

While data loss is certainly a burden to organizations, mobile security doesn’t have to be. Here are four key considerations for mobile-equipped medical offices:

1. Encryption
   Consider the encryption capabilities of a device before you purchase, not after. Carefully choose tablets and phones that offer a high level of encryption across the various functions and facets, including removable storage, of the device. If your office is already mobile-equipped, be sure encryption is standard procedure.
2. Storage
   Think of a mobile device as a way to access data, not store it. A secure server or cloud network is more appropriate for a centralized storage location, to which your mobile devices can connect and disconnect. The latter function is essential, as the portability of a mobile device makes it both easier to lose and more attractive to thieves. According to the Department of Health and Human Services, stolen physical devices account for 71% of breached healthcare records. A missing device that’s online with your data bank poses a serious threat to you and your patients.
3. Access
   Mobile devices should be password-protected, and so should access to your data bank through the devices. Job requirements should determine what devices and passwords each employee in your office can access. Also consider whether bring your own device (BYOD), when employees use their personal devices to access work data, fits with your security approach.
4. Employees
   Don’t overlook the element of human error in your mobile security plan. In 2011, the volume of breached medical records resulting from an employee losing an unencrypted device jumped 525%. Since you can’t ever completely eliminate human error, be sure to train your employees on properly using and handling mobile devices, as well as reporting any loss, theft or signs that a device has been tampered with.



Experian will be at the annual HCCA 2012 Compliance Institute conference at Caesar’s Palace in Las Vegas. This conference offers an important opportunity to meet industry professionals with solid credentials in a number of areas related to medical information and data security. Some of the topics to be addressed at the conference include healthcare reform, compliance effectiveness and HIPAA privacy/data breach.

Attendees at the Compliance Institute can choose from 128 sessions and 225 speakers. Special conference tracks address legal and regulatory issues and privacy and security concerns, as well as general compliance. Also offered are advanced discussion groups, industry immersions, speed networking and more. For more information, go to http://www.compliance-institute.org/.

Come and visit our booth. We’ll talk about ProtectMyID^®, Surveillance Alerts^TM and ProtectMyID^® ExtendCARE^TM, as well as other Experian products that can play a critical role in protecting your organization, informing patients of a data breach and helping your organization recover from an incident. You can also enter your name in a drawing for a chance to win a new iPad.

It’s safe to say that healthcare data is/are under attack. Breaches of medical records increased 97% from 2010 to 2011 according to HHS data. Statistics like that lend new urgency and importance to gatherings such as the upcoming HCCA 2012 Compliance Institute.

Be prepared: Does your organization observe security protocols and have controls in place to protect patient health information (PHI)?

Have a response plan ready to deploy: In the event of a data breach, the first thing to do is activate your response plan. In general, this plan spells out in great detail everything from who will lead the response team to step-by-step processes for sending out notifications, customer care and more.

Evaluate your situation post-breach: Once you’ve weathered the storm of a data breach and its consequences, take time to review the ways your organization responded and grade your response plan. This is also the time to make changes, small and substantial, to the response plan and implement any other protections or processes that you feel would improve your readiness and ability to respond in the event of another incident.

Look for Experian at the 2012 Compliance Institute in Las Vegas from April 29 to May 1. It’s a great opportunity to immerse yourself in solutions for preventing and managing data breaches, as well as meet experts who can help your organization be better prepared in the event of an incident.

Data breaches occur in every industry, but, in healthcare, they’re a whole different ballgame. Black market prices and mobile devices drive data theft and loss. Federal regulations govern breach reporting.
With breaches of medical records increasing 97% from 2010 to 2011, the medical field has been especially hard hit. Here’s a look at five factors that make breaches in this one industry so cumbersome, dangerous and difficult to deter.
 
1. Heavy regulations
While various state laws govern many breaches, a healthcare breach falls under federal law—both for providers and their business associates. The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to govern PHI management. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further enforced it. HITECH’s tiered system of fines can cost a company as much as $1.5 million for mishandling a breach.

2. Black market premium
By many estimates, a medical record sells for $50 on the black market, compared to just $1 for a Social Security number (SSN), according to a GovTech.com article. A single breach can be highly lucrative with an average of 49,000 records impacted per incident. This profitability makes it all the more difficult to deter medical breaches and protected health information (PHI) fraud stemming from both internal and external threats.

3. Substantial harm to patients
Ninety percent of healthcare organizations in a recent study agreed that breaches cause patients harm. One example of this is medical identity theft. Another study found that resolving medical identity theft costs victims $20,663, an extrapolated average. Patients with breached PHI may face even worse. They could lose their medical insurance altogether, due to abuse of their benefits by an imposter. And that imposter’s health conditions, blood type, allergies and prescriptions could end up being part of the victim’s medical file. That misinformation could lead to improper medical care, potentially resulting in a life-threatening situation for the victim.

4. High volume of breaches
According to data from the Identity Theft Resource Center, the overall volume of breached records increased 35% from 2010 to 2011. Yet, according to HHS data, the volume of breached PHI records increased 97% in the same timeframe. In fact, three of the top six breaches of 2011 were in healthcare, according to the Privacy Rights Clearinghouse. The numbers point to an industry in crisis. Ninety-six percent of providers in a recent study have experienced at least one breach in the past two years.

5. Unprepared entities
The increase in medical breaches comes at a time when entities are updating their offices with both electronic health records (EHR) and mobile devices. Many are doing so without putting the proper security measures and access controls in place first. In a recent study, 81% of healthcare entities reported using mobile devices to “collect, store and/or transmit” PHI but 49% haven’t implemented any protection measures for the devices.

With so many different factors at play in healthcare breaches, the sector will continue to be an interesting one to watch. As the HHS promotes greater transferability of EHR, the road ahead may become even rockier.

It’s no secret that healthcare data breaches are steadily on the rise.  As technology has modernized healthcare, it has also made healthcare more vulnerable to hackers, fraudsters, and costly bad luck (such as when a lost portable hard drive exposes the personal health records of thousands of patients.)

The threat is real, so how do security experts suggest you protect yourself?

According to GovInfoSecurity, here are 8 tips to help ward off healthcare security breaches:

1. Risk Assessments
HIPAA security risk analysis has been in short supply, thus exposing personal health information to the vagaries of chance.  Many large healthcare breaches have involved the loss or theft of mobile devices and media containing unencrypted PHI, pointing to the fact that risk assessments were not conducted or had failed to identify mobile devices as a vulnerability.  Comprehensive assessments should take into account internal and external infrastructure, web applications and wireless security, and mobile device policies and employee training should be conducted for all healthcare organizations.

2. Encrypt Mobile Devices and Media
Data encryption is important in every setting, and this is especially true when it comes to healthcare data.  Further, some experts think that health organizations should go further than encryption and simply not allow patient data to be stored on mobile devices at all.

3. Increase Training
Security policies alone are not enough.  Employees must be trained in these policies in order for them to be effective.

4. Conduct Internal Audits
Internal breach threats can be mitigated by the establishment of regular internal audits, which can deter would-be fraudsters while also identifying internal breaches before they snowball further.

5. Monitor Business Associates
With business associates accounting for 22% of major breaches, it’s important to make sure that vendor partners are as security conscious as you are.  Audits should extend to business associates in order to ensure vendors are practicing agreed-upon security measures.

6. Limit Data Storage
Massive unencrypted databases are a recipe for disaster.  Encryption is important, but addressing the size of databases is also relevant.  Limiting the amount of personal data your organization possesses is an important step in ameliorating the consequences of data breaches.

7. Paper Records Are Also Important
Good old-fashioned paper records can also lead to data breaches, so amidst the focus on online threats don’t forget about the hazards of paper.

8. Address Other Vulnerabilities
Weaknesses such as wireless access vulnerabilities, ineffective encryption, rogue wireless access points, firewalls separating wireless networks from internal wired networks, and authentication requirements for entering wireless networks are examples of breach threats hat fall into the “miscellaneous” category.

As far as data security goes, 2011 was a dismal year.  Relentless, high-profile breaches punctured any sense that hack attacks are a remote threat, and by year’s end it was clear (if it wasn’t before) that protection against security disaster can only come from the most rigorous breach defense.

Unfortunately, disaster is exactly what has befallen the healthcare industry.  As health care regulations like HIPPA have become more pervasive, and healthcare records have increasingly moved online, the healthcare field has become a larger target of hackers and fraudsters while also becoming more vulnerable to breach by accident (such as a lost laptop).   That’s why health data breaches were up a whopping 97% last year, according to Redspin’s 2011 PHI Breach Analysis Report, with 19 million patients’ health records affected, with 59% of all breaches involved a business associate.

The increasing use of portable devices, such as tablets, has not kept up with security policies to protect new technologies and systems (such as electronic health records) against data breaches.  Of 385 breaches of protected health information during this period, 39% occurred on a laptop or other portable device, 25% occurred on a desktop PC or server, and 60% resulted from malicious intent such as theft or hacking.

The rise of healthcare data breaches have been a known problem.  Last year’s Ponemon Institute’s Second Annual Survey on Medical Identity Theft estimated that more than 1.49 million Americans had at that point been targeted by this crime.  With an average cost per victim of $20,663 the total national economic impact of medical identity theft crimes was calculated to be in excess of $30 billion.

Some of the key takeaways from the Redspin report:

●     The federal government should update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule so that healthcare providers have more relevant and practical guidance.

●     Healthcare providers should conduct a HIPAA security risk analysis on an annual or, at the least, bi-annual basis and put a plan in place to address any vulnerabilities found.

●     Hospitals should conduct a specific “portfolio” risk analysis of the numerous vendors, contractors, and consultants they work with to focus on the subset of business associates that present a high risk of potential damage from data breaches.

●     Healthcare providers must make their employees more security-conscious.

Consumers need to do what they can to protect their own health information, but healthcare organizations must mount vigorous defenses to ward off data breaches and implement incident response plans to quickly address breaches when they happen.