Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > HIPAA Compliance > Healthcare Data Breaches Are Common, Putting Patient Data and HIPAA Compliance at Risk
Healthcare Data Breaches Are Common, Putting Patient Data and HIPAA Compliance at Risk

Healthcare Data Breaches Are Common, Putting Patient Data and HIPAA Compliance at Risk

by Cliff White updated October 11, 2022 HIPAA Compliance
Reading Time: 5 minutes

Healthcare data breaches, and HIPAA compliance violations from those data breaches, are increasingly common. That’s one of the stark conclusions from the Ponemon Institute’s sixth annual study on the state of security and privacy in the healthcare industry. Drawing on a detailed survey of healthcare organizations (HCOs) and their business associates (BA), the Ponemon study found that in the previous 24 months:

  • 89% of healthcare organizations had experienced at least one data breach
  • 79% of healthcare providers had experienced two breaches
  • 45% had experienced five or more data breaches

Download HIPAA eBook

The sources of healthcare data breaches varied, but criminal actors, either inside or outside the HCO, played significant roles. When asked about the root cause of data breaches:

  • 50% of healthcare organizations cited criminal attacks
  • 41% cited errors by third parties
  • 39% cited stolen computing devices such laptops
  • 13% cited malicious insiders

Criminals clearly understand the value of stolen medical records for perpetrating medical fraud and other forms of identity theft. Stolen medical records can be used to illicitly obtain prescriptions, medical equipment such as electric wheelchairs, and medical care worth thousands or even tens of thousands of dollars. Experian reports that the average incidence of medical fraud ends up costing the victim over $22,000. It’s not surprising, then, that a stolen medical record sells for 10 times the price of a stolen credit card on the black market.

Since medical fraud is so lucrative, HCOs and BAs should expect the attacks on medical files and billing records to continue.

Not Exempt: Business Associates and Other Third Parties

This year’s Ponemon healthcare data survey was the first to include business associates as respondents. Broadening the focus of healthcare data security and HIPAA compliance to include the business associates of healthcare organizations makes sense. In 2009, the Health Information Technology for Economic and Clinical Health Act (more commonly referred to as the HITECH Act), expanded the scope of the HIPAA Data Privacy Rule to cover an HCO’s business associates such as third-party administrators, medical transcriptionists, law firms, CPA firms, and other parties providing services such as data analysis, practice analysis, and billing.

Given the nature of their work, these organizations inevitably end up handling protected health information (PHI) like medical records and are just as susceptible to a healthcare data breach as an HCO. As a result, the HITECH Act requires these organizations to meet the same standards for data privacy and data security used by HCOs themselves for achieving HIPAA compliance.

HCOs seem to recognize the risks posed by BAs and other third parties for causing healthcare data breaches and creating HIPAA compliance violations. According to the Ponemon survey, about a third of HCOs believe that BAs are not vetted carefully enough, and about two thirds (61%) of HCOs are now paying more attention to the data security practices of the BAs they work with.

Solving the Problem of Healthcare Data Breaches

To reduce the frequencies and scope of healthcare data breaches, HCOs and their business associates need new data security and data governance solutions that work with their existing IT systems. Specifically, HCOs and BAs need:

  • Comprehensive data security – Data should be secured across the enterprise, regardless of whether it is stored on-premises or in the cloud. How it is accessed (e.g. desktop, laptop, tablet, mobile or wearable) must be considered as well. Ensuring that the data is encrypted in transit, in use and at rest is a great start.
  • Comprehensive Antivirus (AV) protection – Anti-malware screening that stops rootkits and other software tools used by attackers should be in place. On mobile devices, sensitive content should be stored in a “secure container,” a protected area of memory and storage that minimizes the risk of contamination from malware that might reside elsewhere on a device.
  • Support for secure collaborationBecause healthcare is inherently collaborative work, content management solutions that support common collaboration tasks such as task management, threaded discussions, and more should be equipped with security features to ensure healthcare providers can collaborate securely.

Secure File Sharing for Healthcare Data Security and HIPAA Compliance

Secure file sharing solutions, including the Kiteworks secure file sharing and governance platform, provides secure access to sensitive content such as Electronic Health Records (EHRs) that must be protected for HIPAA compliance. A secure file sharing solution enables HCOs and BAs to share, send, sync and edit files on any type of device, from any content store, including popular Enterprise Content Management (ECM) platforms like Microsoft SharePoint.

Designed to reduce the risk of healthcare data breaches while supporting HIPAA compliance and collaboration, secure file sharing solutions:

  • Encrypt data in use, in transit, and at rest.
  • Provide controls and monitoring tools for IT administrators to enforce security policies and monitor the distribution of PHI.
  • Integrate with a broad range of ECM platforms and data storage services, including Microsoft SharePoint, EMC Documentum, OpenText, Box, Dropbox, Google Drive, and others. These integrations enable HCOs and BAs to enforce security policies consistently across all content systems, including public cloud data services.
  • Enable healthcare providers to share content securely with trusted partners outside the HCO. Secure collaboration features include digital watermarking, restricted admin and files and folders expiration, among others.
  • Provide built-in AV scanning to stop malware from infecting mobile devices and their content.
  • Enable “remote wipe” or remote deletion of data on devices once IT administrators know a device is missing or an employee has left the organization.
  • Support task management and threaded discussions to ensure mobile employees have access not only to content but also the context for content.

Quality patient care requires accurate diagnosis, effective treatment, and bullet-proof data security. With secure file sharing, healthcare professionals extend quality patient care by protecting patient privacy.

Frequently Asked Questions

HIPAA compliance is the adherence to the federal standards set forth in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This includes requirements on the handling and protection of patient data, as well as patient privacy.

Protected health information (PHI) is any individually identifiable information related to a patient’s physical or mental health condition, the provision of healthcare, or payment for healthcare services. This includes names, addresses, Social Security numbers, medical records, and any other confidential information associated with a patient’s health.

Failure to adhere to HIPAA compliance regulations can result in civil or criminal penalties. Civil penalties range from $100 to $50,000 per incident. In cases of willful neglect, criminal penalties can lead to up to 10 years of imprisonment.

To meet HIPAA compliance requirements, your technology must offer secure data storage, access control, user authentication, encryption, audit logging, and activity monitoring. It should also offer the ability to restrict access to data based on the user’s role and authorize individuals to have access only to the data they need.

Adhering to HIPAA compliance regulations can help protect patient data, increase trust in the healthcare system, reduce healthcare costs, and improve patient safety. It can also protect your organization from legal and financial repercussions.

To ensure your organization is HIPAA compliant, you should work with a qualified third-party vendor that can help you audit your data and processes, develop a comprehensive information security plan, and train your staff on best practices for data security and patient privacy.

Kiteworks provides organizations with the tools and features necessary to ensure their data is secure and private and remains compliant with HIPAA. The Kiteworks Private Content Network enables organizations to demonstrate compliance with HIPAA by unifying, controlling, tracking, and securing sensitive PHI data exchanges—email, file sharing, managed file transfer, web forms, and APIs. Kiteworks offers role-based access control to ensure users are only granted access to the data they need to perform their job, and helps organizations monitor and control data access in accordance with HIPAA. It also keeps organizations in compliance with HIPAA through its automated audit logging capabilities, as well as providing on-demand data destruction capabilities and comprehensive reporting capabilities. These features help organizations maintain a clear view of their data security posture and ensure that patient data is only being accessed by authorized individuals and is securely and permanently deleted when no longer needed.

Additional Resources

Tags: healthcare | HIPAA | compliance | data breach | Cyber Security on Security Boulevard |

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Share
Tweet
Share
Explore Kiteworks