50 things to know about healthcare data security & privacy

Data privacy and security are increasingly a concern in nearly all industries. From HIPAA and data breaches to the patient perspective and EHRs, here are 50 things to know about data security and privacy issues in healthcare.

HIPAA

1. The Health Insurance Portability and Accountability Act, designed to protect healthcare information security and confidentiality, was enacted in 1996.

2. The law is divided into Title I, which focuses on portability, and Title II, which focuses on administrative simplification. The portability portion of the law was put in place to ensure individuals can carry health insurance from one job to another. Title II focuses how healthcare information is received and sent, as well as the maintenance of privacy and security.

3. HIPAA regulations apply to all healthcare providers, health plans and healthcare clearinghouses. Protected health information includes the following:

•    Names
•    Birth dates, death dates, treatment dates, admission dates and discharge dates
•    Telephone numbers and other contact information
•    Addresses
•    Social Security numbers
•    Medical record numbers
•    Photographs
•    Finger and voice prints
•    Any other indentifying numbers

4. Under the HIPAA privacy rule, patients have a number of rights including:

•    The right to receive notice of privacy practices of any healthcare provider, plan or clearing house
•    The right to see their protected health information and receive a copy
•    The right to request changes to their records to correct errors or add information
•    The right to have a list of those their protected healthcare information has been disclosed to
•    The right to request confidential communication
•    The right to complain.

5. HIPAA violations can come with both civil and criminal penalties. Here are four HIPAA violations and the resultant civil penalties, according to the American Medical Association.

Individual did not know HIPAA was being violated
•    Minimum penalty: $100 per violation and an annual maximum of $25,000 for repeat violations
•    Maximum penalty: $50,000 per violation and an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not willful neglect

•    Minimum penalty: $1,000 per violation and an annual maximum of $100,000 for repeat violations
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to willful neglect, but violation is corrected within required timeframe

•    Minimum penalty: $10,000 per violation with an annual maximum of $250,000 for repeat violations
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to willful neglect and is not corrected
•    Minimum penalty: $50,000 per violation with an annual maximum of $1.5 million
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

6. Covered entities, such as health plans, clearinghouses and providers, and their employees are held liable under HIPAA. Criminal penalties apply to covered entities or individuals who "knowingly" obtain or disclose protected health information. Penalties include $50,000 in fines and imprisonment for up to one year. Violations committed under false pretense come with a $100,000 fine and up to five years in prison. Violations involving intent to sell or transfer information comes with a $250,000 fine and up to ten years in prison.

7. The HHS Office of Civil Rights enforces privacy standards. CMS enforces transaction and code set standards, as well as the security standards, according to the AMA.  

Data breaches

8. The average consolidated cost of a data breach is now $3.8 million up 23 percent from 2013, according to a Ponemon Institute report.

9. The healthcare industry has the highest cost per stolen record at an average of $363. The costs associated with lost business following a breach have risen from $1.23 million in 2013 to $1.57 million in 2013. On the other hand, notification costs have fallen from $190,000 to $170,000.

10. The most expensive data breaches occur in the United States and Germany.

11. Data breaches could cost the healthcare industry as a whole $6 billion each year, according to a Ponemon Institute report.

12. The cost components of data breach, according to a CFO magazine report, include:

•    Investigation
•    Remediation
•    Notification
•    Identify-theft repair and credit monitoring
•    Regulatory fines
•    Interrupted business operations
•    Loss of business
•    Class-action law suits

13. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands all have legislation in place requiring private and government entities to notify individuals of data breaches involving personal information, according to the National Conference of State Legislatures.

14. Criminal attacks are the leading cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations has leapt 125 percent since 2010.

15. Within the past year, 78 percent of healthcare organization breaches were due to web-borne malware attacks.

16. Despite the apparent threat data breaches pose, many healthcare organizations remain unprepared. Just 40 percent of healthcare organizations are concerned about cyber attacks.

17. Furthermore 56 percent of healthcare organizations feel their incident response processes lacks funding and resources. "As a hospital system, we don't have the fraction of the resources as the Targets and the Chases of the world, as far as security experts. We are almost like sitting ducks, but we do put tools in place to facilitate these threats to be prepared," said Cletis Earle, Vice President and CIO of St. Luke's Cornwall Hospital Newburgh, N.Y., in a Becker's Hospital Review report.

18. Though external forces are the leading cause of data breaches, internal causes are also a concern. In 2014, U.S. businesses reported $40 billion in losses due to unauthorized employee computer use, according to Experian's 2015 Second Annual Data Breach Industry Forecast report.

19. More than half of respondents to the 2014 SANS Health Care Cybersecurity survey, 51 percent, believe a negligent insider is the biggest threat to cybersecurity.

20. In April 2014, Reuters reported the FBI warned the healthcare industry that their cybersecurity systems are more vulnerable than other sectors.

21. There are a multitude of technical issues to consider when safeguarding against data breaches. Here are six technical controls to minimize security and compliance risks, according to the Healthcare security + compliance guide from HIMSS:

•    Anti-malware software
•    Data loss prevention software
•    Two-factor authentication software
•    Patch management software
•    Disc encryption software
•    Logging and monitoring software

22. In addition to addressing the technical side of data security, healthcare organizations must have operational controls in place. Here are six things to consider, according to the HIMSS report:

•    Security and compliance oversight committee
•    Formal security assessment process
•    Security incident response plan
•    Ongoing user awareness and training
•    Information classification system
•    Security policies

Data breaches in the news

23. In February, Anthem, the second largest insurer in the United States, fell prey to the largest healthcare data breach reported to date. Hackers accessed the personal information of approximately 80 million former and current customers and employees.

24. Investigators tracked the data breach back to weak login security. The hackers acquired credentials from five Anthem technology workers and used phishing campaigns to "dupe" network administrators into revealing login information or into clicking a link that granted them access to the administrators' computers.

25. Shortly after the announcement of the Anthem breach, it was revealed data in the insurer's database was not encrypted. "There are a lot of folks who don't encrypt data internally. If not encrypting your data internally is a failure or makes you irresponsible, then we have a whole lot of people in healthcare who are irresponsible, not just these guys," Mac McMillan, CEO of healthcare IT consulting firm CynergisTek and chair of the HIMSS Privacy & Security Policy Task Force, said in an interview with Becker's Hospital Review.

26. Following the announcement of the Anthem breach, consumer perceptions of the payer dipped slightly. A Wedbush Securities survey of more than 1,000 people prior to the breach found 51 percent of consumers said Anthem Blue Cross Blue Shield was a better brand than other payers. After the breach, only 45 percent of consumers said the same.

27. The large 2015 breach was not Anthem's first. In 2010, the payer was fined $1.7 million for a smaller breach, which compromised information from approximately 612,000 people.

28. Less than 24 hours after the announcement of the Anthem breach, the payer was faced with two class-action lawsuits.

29. The high-profile nature of breaches like the Anthem case can drive other healthcare providers to take a second look at their own cybersecurity policies. An Experian Data Breach Resolution and Ponemon Institute found media coverage of data breaches has driven 69 percent of companies to reevaluate and prioritize security.

30. "It's made a beneficial impact for our case to focus more on cybersecurity because it's unsexy, it's behind the scenes. Cybersecurity is only interesting when you have things like Sony and Anthem happen. All these collective things have opened up communication channels for us to continue to grow in cybersecurity," said Joel Vengco, Vice President and CIO of Baystate Health in Springfield, Mass., in a Becker's Hospital Review article.

31. Just a little more than a month after the Anthem breach went public, Premera Blue Cross, a health plan in Mountlake Terrace, Wash., announced a cyberattack that compromised the data of 11 million customers, employees and business affiliates.

32. Premera discovered the breach on Jan. 29. The initial attack took place on May 5, 2014.

33. The investigation into the breach indicates no evidence of inappropriate use of the compromised data, as of March 2015. "The security of Premera's members' personal information remains a top priority. We at Premera take this issue seriously and sincerely regret the concern it may cause," said Premera CEO Jeff Roe in a statement. "As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people's information."

34. Shortly following the public announcement of the Premera breach, the insurer was hit with several class-action lawsuits.

35. "If you are an organization like this, it is not a matter of being breached — you are likely already compromised and just don't know it yet. Attackers are able to operate for months before being detected, and this will continue until organizations architect in a way leaving attackers nowhere to hide," said TK Keanini, CTO of Lancope, in a Becker's Hospital Review Premera breach reaction report.

36.  In May, CareFirst BlueCross BlueShield, the largest payer in the Mid-Atlantic region of the United States, reported a cyberattack that affected 1.1 million past and current customers. The attack was traced back to June 2014.

37. Mandiant, a subsidiary of Milpitas, Calif.-based FireEye, detected the attack after conducting an end-to-end examination of CareFirst's IT environment. In a statement to the Wall Street Journal, FireEye said, "The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year." FireEye has also investigated other breaches and cyberattacks, including those affecting Anthem and Premera.

38. In June, the U.S. Office of Personnel Management announced hackers accessed its computer system. The data of approximately 4 million government workers was compromised.

39. The breach investigators have now linked the OPM cyberattack to both the Anthem and Premera Blue Cross breaches that occurred earlier this year.

40. The suspected culprits are government-linked Chinese hackers, according to a Bloomberg report.

41. Data breach settlement costs can be substantial. New York-Presbyterian Hospital and Columbia University submitted a joint breach report in September 2010. HHS' Office for Civil Rights initiated an investigation. In 2014, the two organizations agreed to a settlement of $4.8 million, the largest HIPAA settlement to date.  

The patient side

42. Healthcare providers are not the only ones concerned with data breaches. Depending on the type of information accessed, patients too can be exposed to risk. A Software Advice survey found that 45 percent of respondents were moderately or very concerned about security breaches involving personal health information.

43. More than half of the survey respondents, 54 percent, said they would switch healthcare providers as a result of a data breach. Nearly a quarter of respondents, 21 percent, surveyed were so concerned with data breaches they withhold personal information from their physicians.

44. Patients whose providers use paper medical records reported more concern over record privacy (75 percent) than patients whose providers use EHRs (69 percent), according to an ONC data brief.

45. Providers have traditionally safeguarded healthcare data, but it is now spreading beyond the four walls of a hospital or physician's office. Wearables are growing in popularity, but not without concern. A PricewaterhouseCoopers report on wearables found that 86 percent of respondents were concerned this technology would make them more vulnerable to security breaches.

EHRs

46. The HITECH Act, enacted in 2009, is designed to promote the adoption and meaningful use of healthcare information technology. The legislation also addresses privacy and security concerns, as well as strengthens enforcement of HIPAA rules. The American Recovery and Reinvestment Act also expands HIPAA privacy requirements. The legislation includes regulations governing EHR confidentiality, according to a HIMSS white paper.

47. Meaningful use includes requirements for patient privacy rights including assurance their health information is protected from unauthorized access and ability to access their health information.

48. More than half of providers, 61 percent, identified EHR/EMR as the category of information assets most at risk,according to the 2014 SANS Health Care Cybersecurity survey.

49. Though EHRs are intended to improve how healthcare information is stored and shared, physicians have varying views on how patients fit in. Nearly half of physicians, 49 percent, are of the opinion that patients should only have access to their entire medical record on a case-by-case basis, according to a Forbes report.

50. On the other hand, 34 percent of physicians believe patients should always have full access. Only 17 percent are of the opinion patients should never have full access.

More articles on health IT:
Mayo Clinic CISO Jim Nelms: 4 thoughts on health data security
CMS to allow innovators access to Medicare data: 5 takeaways
6 ways to amplify the CIO position

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months