Health Care and Data Breaches

This blog post is my 500th article!!! 

One of the most critical issues in the healthcare field today, for medical providers and facilities and for consumers, is the breach of personal health care information. The theft of personal medical records is big money on the black market, and ID theft due to that crime is rampant.

According to Modern Healthcare magazine, 2016 is being deemed the “year of data security” in healthcare—if only because 2015 was a substantial wake-up call for the industry. Nearly 90 percent of healthcare providers have been hit by data breaches in the last two years, according to security research firm Ponemon Institute, with many large-scale and criminally driven attacks publicized in 2015. More details are located at this website: http://www.modernhealthcare.com/article/20160227/SPONSORED/160229900/2016-the-year-of-data-security

HIT Consultant reports that one in three Americans were victims of healthcare data breaches in 2015, attributed to a series of large-scale attacks that each affected more than 10 million individuals. These and other statistics are contained in Bitglass’ 2016 Healthcare Breach Report.

Among the most significant findings of the report was that in 2015, 98 percent of record leaks were due to large-scale breaches targeting the healthcare industry. These high-profile attacks were the largest source of healthcare data loss and indicate that cyber attackers are increasingly targeting medical data.

Such breaches include the widely publicized Premera Blue Cross hack involving 11 million customers, and the Anthem hack which resulted in 78.8 million leaked customer records. More info is located at this website: http://hitconsultant.net/2016/01/28/hackers-caused-98-of-healthcare-data-breaches/.

According to Health IT Security, 80 percent of organizations handling sensitive information report concern for large-scale data breaches, based on a survey conducted by Advisen. This survey included organizations from several different industries, but the most highly represented industry was healthcare, comprising 22 percent of the respondent sample.

Despite the growing concern for large-scale data breaches, the study’s authors report that organizations may not be doing enough. While three quarters of respondents report having some sort of data breach response plan, these plans may not go through rigorous enough testing. You can find more material on this subject at this site: http://healthitsecurity.com/news/large-data-breaches-top-worry-for-health-pros-survey-shows.

Forbes Magazine reported that 2015 was the worst year yet for data breaches. The online mechanism for the Office of Civil Rights (OCR) under Health and Human Services publishes data breaches as reported to them and required by HIPAA. The numbers last year are just staggering:

·         According to OCR, there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records.

·         The top 10 data breaches alone accounted for just over 111 million records that were lost, stolen or inappropriately disclosed.

·         The top six breaches affected at least 1 million individuals–and four of the six were Blue Cross Blue Shield organizations.

While HIPAA is the legislation (passed in 1996) designed to protect patients against loss, theft or disclosure of their sensitive medical information, the fines and penalties don’t appear to be having a discernible effect on either patient privacy or data security.

A recent data breach study estimates that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward connected care, the amount of data exchanged between organizations is only going to grow. So what does this mean? It means that in 2016, the healthcare industry is going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs (electronic health records) and other vulnerable PHI (Personal Health Information). More detailed material is located at this website: http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#3f9cb33b7fd5.

Oddly enough, however, according to Health IT Security, the first few months into 2016 are showing a slightly different trend, with results from the Department of Health and Human Services (HHS) indicating that stolen devices and improper disposal are the top threats currently facing the industry. Patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, other medical status and assessment information as well as some financial information have been exposed with these incidents.

The top five healthcare data breaches of this year so far do not involve hacking or an IT incident, according to the HHS Office for Civil Rights (OCR) data breach reporting tool. Instead, theft, loss, improper disposal, and unauthorized email access or disclosure have caused the largest incidents in 2016. More info is located at this website: http://healthitsecurity.com/news/top-5-healthcare-data-breaches-in-2016-not-from-hacking.

According to IT Business Edge, a big part of the problem is that security organizations are still focused on preventative security — looking for a silver bullet that will keep an attacker out of their networks in the first place. Despite a Gartner recommendation that organizations shift security efforts toward the detection of network intruders and the emergence of promising new behavioral analytic tools and security strategies, well under 1 percent of enterprises have the ability to find a post-intrusion network attacker. Cyber criminals continue to have the potential for unimpeded, long-term success. More info is located at this site: http://www.itbusinessedge.com/slideshows/2016-security-trends-whats-next-for-data-breaches-06.html.

Hospitals, health systems, payers and any organization with stewardship of healthcare data are prime targets for cyberattacks, according to Becker’s Hospital Review (BHR). And there are plenty of cautionary tales showing just how much damage hackers can do. While no healthcare organization will ever be completely invulnerable to such attacks, they can learn from others' mistakes.

Here are four lessons, according to BHR, healthcare providers can consider when thinking about data breach prevention and preparedness:

1.    Don't fall prey to known vulnerabilities.

2.    Utilize experience-based training.

3.    Consider a third party for security audits.

4.    Create a contingency plan.

More information about this topic is available at this website: http://www.beckershospitalreview.com/healthcare-information-technology/4-healthcare-data-breach-lessons-to-take-to-heart.html.

Businesses, especially in the healthcare field, must always make every effort to protect patient information. That is their responsibility, and they can be held civilly responsible, and criminally responsible if there is a proven negligent act. As a consumer, you may receive a letter or an email informing you that your personal information may have gotten into the wrong hands as a result of a data breach.  Perhaps a media report alerted you to a security breach at a company where you do business.

Regardless of the type of data breach, medical information is more difficult to recover, manage, and restore, especially for consumers. According to Privacy Rights Clearinghouse, there are helpful tips on what to do if a breach has occurred. Much more detail is located at this website: https://www.privacyrights.org/how-to-deal-security-breach.

Always be diligent to monitor your healthcare information. Take steps to protect your personal data, and never provide your information to businesses that have no protection or privacy capabilities in place. Always ask who will see your information, and request a copy of their privacy policies. If you discover that a breach has occurred, take quick action to reduce the exposure and limit the damage that can be done. It’s your life. Keep it secret. Keep it safe.

Until next time.