In the past two years, 94 percent of healthcare organizations have suffered at least one data breach, according to a new infographic called "A Decade of Data Breach," released by data breach consulting firm ID Experts.
Since it was first identified as an industry issue in 2003, data breaches have become a major concern for healthcare providers and patients. In 2011, medical identity theft affected 2 million people (that year, a stolen medical record fetched about $50 on the black market), according to the infographic. A recent increase in the use of mobile technology has only increased the risk for compromised data: According to the infographic, 88.6 percent of healthcare providers access patient information on unsecured smartphones.
"Hospitals need to make the protection of protected health information an operational imperative versus responding to breaches when they happen," says Rick Kam, president and co-founder of ID Experts. Below, he offers four best practices to help hospitals protect against data breaches, and handle any that do occur.
1. Recognize the real possibility of a breach. "Don't ignore the risk of a data breach by saying, 'It won't happen to us,' or 'We haven't had any incidents yet,'" says Mr. Kam. He says an attitude like this can lead to a culture of noncompliance with recommended security measures. It's "why some organizations find themselves utterly unprepared to effectively manage incidents and avoid fines and formal corrective actions," he says.
2. Identify and correct weaknesses. In addition to following prescribed best practices for data storage and security, Mr. Kam says hospitals should test its systems and safeguards — before a potential data breach does so. "Conduct a mock incident test," he recommends. "It is the best way to validate the quality of your incident response plan and team and to identify any changes and deficiencies in your policies, procedures, IT and forensics."
Any chinks in the armor, he says, can then be fixed. Moreover, such a test will also reveal any weaknesses in the chain of command for dealing with potential incidents, so leadership can be ready to respond.
3. Protect data on mobile devices. As more physicians use their own mobile devices, such as smartphones or tablets, in a clinical setting, protecting patient data and security on these devices is important, says Mr. Kam. "Have clear policies about the use of bring-your-own-devices and other mobile and portable storage devices, and enforce them," he says.
He recommends administrators ask themselves the following questions: "Can or should protected health information be accessed from these devices and stored locally? Is the PHI encrypted? Can the presence or lack of presence of the PHI on these devices be proven if they are compromised?"
4. Don't announce a breach without due diligence. "It is critical to take the appropriate time to investigate the root cause and scope of the incident before notification," says Mr. Kam. He says many hospitals do not take the time to fully understand the scope (or even the presence) of a breach before making an announcement.
Once a breach has been confirmed and affected areas or patients are identified, the next step is to "determine if the incident qualifies as a reportable breach according to federal and state breach laws," says Mr. Kam. Then announcements and notifications should be made in accordance with all applicable regulations, he says.