Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

Data breaches occur in every industry, but, in healthcare, they’re a whole different ballgame. Black market prices and mobile devices drive data theft and loss. Federal regulations govern breach reporting.
With breaches of medical records increasing 97% from 2010 to 2011, the medical field has been especially hard hit. Here’s a look at five factors that make breaches in this one industry so cumbersome, dangerous and difficult to deter.
 
1. Heavy regulations
While various state laws govern many breaches, a healthcare breach falls under federal law—both for providers and their business associates. The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to govern PHI management. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further enforced it. HITECH’s tiered system of fines can cost a company as much as $1.5 million for mishandling a breach.

2. Black market premium
By many estimates, a medical record sells for $50 on the black market, compared to just $1 for a Social Security number (SSN), according to a GovTech.com article. A single breach can be highly lucrative with an average of 49,000 records impacted per incident. This profitability makes it all the more difficult to deter medical breaches and protected health information (PHI) fraud stemming from both internal and external threats.

3. Substantial harm to patients
Ninety percent of healthcare organizations in a recent study agreed that breaches cause patients harm. One example of this is medical identity theft. Another study found that resolving medical identity theft costs victims $20,663, an extrapolated average. Patients with breached PHI may face even worse. They could lose their medical insurance altogether, due to abuse of their benefits by an imposter. And that imposter’s health conditions, blood type, allergies and prescriptions could end up being part of the victim’s medical file. That misinformation could lead to improper medical care, potentially resulting in a life-threatening situation for the victim.

4. High volume of breaches
According to data from the Identity Theft Resource Center, the overall volume of breached records increased 35% from 2010 to 2011. Yet, according to HHS data, the volume of breached PHI records increased 97% in the same timeframe. In fact, three of the top six breaches of 2011 were in healthcare, according to the Privacy Rights Clearinghouse. The numbers point to an industry in crisis. Ninety-six percent of providers in a recent study have experienced at least one breach in the past two years.

5. Unprepared entities
The increase in medical breaches comes at a time when entities are updating their offices with both electronic health records (EHR) and mobile devices. Many are doing so without putting the proper security measures and access controls in place first. In a recent study, 81% of healthcare entities reported using mobile devices to “collect, store and/or transmit” PHI but 49% haven’t implemented any protection measures for the devices.

With so many different factors at play in healthcare breaches, the sector will continue to be an interesting one to watch. As the HHS promotes greater transferability of EHR, the road ahead may become even rockier.

It’s no surprise that data breaches are expensive.  The exact cost of these incidents, which have only become more spectacularly headline-grabbing in recent months, is a question that the Ponemon Institute has addressed for the past six years.  Their most recent analysis, the 2010 U.S. Cost of a Data Breach, includes a look at 51 U.S. companies from 15 different industry sectors, all of which experienced data breaches.

The findings dispel any notion that data breaches are becoming less costly as data breach notification sets in amongst consumers and they presumably care less about breach incidents.  In fact, consumers are still highly concerned about data breaches, and the costs of breaches are climbing.

A few key takeaways from the Ponemon study:

• The average cost of a data breach increased by seven percent to $7.2 million in 2010, with the cost of each compromised record now averaging $214, up from $209 in 2009.
• Costs of a data breach include notification and legal defense costs, penalties from regulations such as the HITECH Act, and lost customer business.
• For the first time, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one; up from 12% in 2008, to 24% in 2009, to 31% in 2010.
• Quick responses to data breaches are more costly than slower responses – 54% more, to be precise.  With the haste to comply with state and federal regulations, some companies rush to get the notification process over with, and in the process over-notify more than needed.
• Companies are more proactively protecting themselves from data breach threats.  For example, breaches due to systems failures, lost devices and third-party mistakes are lower than before.  And while some companies may be responding to breaches too hastily (and inefficiently), the good news is that more companies are responding to breaches within 30 days of an incident.

One of the more surprising findings is that negligence is still the leading cause of data breaches, at 41%, further underscoring the need for companies to strengthen their security practices.  On the bright side, the average breach detection and escalation costs went up by 72%, so it appears that companies are beginning to get the message that the threat of data breaches requires aggressive precautions.

Once upon a time, in the dark ages before the Internet, encryption was a tool confined mostly to the military.  The algorithmic schemes that convert plain text into an unreadable form, for purposes of privacy protection, naturally wasn’t considered relevant to the public.

Times have changed.  Now encryption is seen as an essential method to secure data and protect infrastructures from breaches, which is why web browsers automatically encrypt text when connecting to secure servers, and why security regulators are making encryption a mandatory part of many compliance practices.

Indeed, compliance is the number one factor driving more companies to implement encryption technologies than ever before.  According to the most recent Ponemon Institute’s U.S. Enterprise Encryption Trends report, 69 percent of the IT and business leaders surveyed said that compliance is the reason they are adopting encryption within their company’s technologies, topping even the mitigation of data breaches (63 percent) as their paramount motivation.

Given that encryption is a must under a variety of newer regulations, it’s no surprise that companies feel the pressure to get on the encryption bandwagon, and that solutions involving encryption have seen the biggest increase in IT budget line items over the past year.  The HITECH Act and various state privacy laws such as Massachusetts 201 CMR 17 are two examples of regulations which mete out stiff penalties to companies that don’t use encryption to protect sensitive data.  The Health Information Portability and Accountability Act (HIPAA), remains a key driver for encryption, while the Payment Card Industry Security Standard, whose requirements for credit card transaction security include encryption, has become the fastest growing reason for IT organizations to use encryption.

Because more people are working remotely, with data flowing outside of traditional security walls, and because data breaches are on the rise, the Ponemon report concludes that encryption adoption will continue to increase in the coming years.

When considering your company’s full breach prevention strategy, consider encryption a strong bodyguard that can play a big role in protecting data while also shielding your company from embarrassing and costly breaches.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

Just as the healthcare industry came up to speed on the regulations defined in The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, additional modifications are being proposed. These proposed rules focus on expanding obligations and penalties for covered entities (CEs) to now include business associates (BAs).

So why is this significant? For two reasons. First, combined with the HITECH Act, the new rules will expand both the application of certain HIPAA Security and Privacy requirements and penalties to business associates.  Secondly, the proposal expands the definition of BA to include subcontractors who handle health information. Subcontractors would be considered BAs and are subject to direct liability under the HIPAA rules.

Many provider networks, physician practices and insurance plans work with outside vendors to manage their businesses and patient health information.  Many of these providers are BAs who use sub-contractors.  Under the proposed new regulations, these subcontractors must also be HIPAA compliant and follow the HITECH regulations or face penalties. This also means that CEs could be held liable when a BA does not comply.

How well does your company know its business associates…and the businesses that they do business with? As health care organizations expand their operations, it is imperative that due diligence is performed to avoid potential liability stemming from non-compliant vendors.  Some privacy professionals feel the best way to prevent liability under the new requirements is to be proactive about adhering to compliance standards.

Companies should consider actively working with their vendors to address the stringent HITECH requirements and ensure that anyone that falls under the BA category is aware of the full implications as it relates to HITECH and HIPAA.  The more proactive you are the better chance you have of avoiding potentially heavy fines due to the ignorance of a BA that was not aware of the law.