Healthcare Data Breaches Are Common, Putting Patient Data and HIPAA Compliance at Risk
Healthcare data breaches, and HIPAA compliance violations from those data breaches, are increasingly common. That’s one of the stark conclusions from the Ponemon Institute’s sixth annual study on the state of security and privacy in the healthcare industry. Drawing on a detailed survey of healthcare organizations (HCOs) and their business associates (BA), the Ponemon study found that in the previous 24 months:
- 89% of healthcare organizations had experienced at least one data breach
- 79% of healthcare providers had experienced two breaches
- 45% had experienced five or more data breaches
The sources of healthcare data breaches varied, but criminal actors, either inside or outside the HCO, played significant roles. When asked about the root cause of data breaches:
- 50% of healthcare organizations cited criminal attacks
- 41% cited errors by third parties
- 39% cited stolen computing devices such laptops
- 13% cited malicious insiders
Criminals clearly understand the value of stolen medical records for perpetrating medical fraud and other forms of identity theft. Stolen medical records can be used to illicitly obtain prescriptions, medical equipment such as electric wheelchairs, and medical care worth thousands or even tens of thousands of dollars. Experian reports that the average incidence of medical fraud ends up costing the victim over $22,000. It’s not surprising, then, that a stolen medical record sells for 10 times the price of a stolen credit card on the black market.
Since medical fraud is so lucrative, HCOs and BAs should expect the attacks on medical files and billing records to continue.
Not Exempt: Business Associates and Other Third Parties
This year’s Ponemon healthcare data survey was the first to include business associates as respondents. Broadening the focus of healthcare data security and HIPAA compliance to include the business associates of healthcare organizations makes sense. In 2009, the Health Information Technology for Economic and Clinical Health Act (more commonly referred to as the HITECH Act), expanded the scope of the HIPAA Data Privacy Rule to cover an HCO’s business associates such as third-party administrators, medical transcriptionists, law firms, CPA firms, and other parties providing services such as data analysis, practice analysis, and billing.
Given the nature of their work, these organizations inevitably end up handling protected health information (PHI) like medical records and are just as susceptible to a healthcare data breach as an HCO. As a result, the HITECH Act requires these organizations to meet the same standards for data privacy and data security used by HCOs themselves for achieving HIPAA compliance.
HCOs seem to recognize the risks posed by BAs and other third parties for causing healthcare data breaches and creating HIPAA compliance violations. According to the Ponemon survey, about a third of HCOs believe that BAs are not vetted carefully enough, and about two thirds (61%) of HCOs are now paying more attention to the data security practices of the BAs they work with.
Solving the Problem of Healthcare Data Breaches
To reduce the frequencies and scope of healthcare data breaches, HCOs and their business associates need new data security and data governance solutions that work with their existing IT systems. Specifically, HCOs and BAs need:
- Comprehensive data security – Data should be secured across the enterprise, regardless of whether it is stored on-premises or in the cloud. How it is accessed (e.g. desktop, laptop, tablet, mobile or wearable) must be considered as well. Ensuring that the data is encrypted in transit, in use and at rest is a great start.
- Comprehensive Antivirus (AV) protection – Anti-malware screening that stops rootkits and other software tools used by attackers should be in place. On mobile devices, sensitive content should be stored in a “secure container,” a protected area of memory and storage that minimizes the risk of contamination from malware that might reside elsewhere on a device.
- Support for secure collaboration – Because healthcare is inherently collaborative work, content management solutions that support common collaboration tasks such as task management, threaded discussions, and more should be equipped with security features to ensure healthcare providers can collaborate securely.
Secure File Sharing for Healthcare Data Security and HIPAA Compliance
Secure file sharing solutions, including the Kiteworks secure file sharing and governance platform, provides secure access to sensitive content such as Electronic Health Records (EHRs) that must be protected for HIPAA compliance. A secure file sharing solution enables HCOs and BAs to share, send, sync and edit files on any type of device, from any content store, including popular Enterprise Content Management (ECM) platforms like Microsoft SharePoint.
Designed to reduce the risk of healthcare data breaches while supporting HIPAA compliance and collaboration, secure file sharing solutions:
- Encrypt data in use, in transit, and at rest.
- Provide controls and monitoring tools for IT administrators to enforce security policies and monitor the distribution of PHI.
- Integrate with a broad range of ECM platforms and data storage services, including Microsoft SharePoint, EMC Documentum, OpenText, Box, Dropbox, Google Drive, and others. These integrations enable HCOs and BAs to enforce security policies consistently across all content systems, including public cloud data services.
- Enable healthcare providers to share content securely with trusted partners outside the HCO. Secure collaboration features include digital watermarking, restricted admin and files and folders expiration, among others.
- Provide built-in AV scanning to stop malware from infecting mobile devices and their content.
- Enable “remote wipe” or remote deletion of data on devices once IT administrators know a device is missing or an employee has left the organization.
- Support task management and threaded discussions to ensure mobile employees have access not only to content but also the context for content.
Quality patient care requires accurate diagnosis, effective treatment, and bullet-proof data security. With secure file sharing, healthcare professionals extend quality patient care by protecting patient privacy.
- Blog Post What Are HIPAA Compliance Requirements? [Complete Checklist]
- Blog Post HIPAA Compliance
- Blog Post HIPAA Encryption
- Blog Post Is Email HIPAA Compliant?
- Blog Post The HIPAA Breach Notification Rule