Medical industry data breaches: An ounce of prevention

Data and information breaches are on the rise, and the latest figures are sobering.

Breaches are up almost 30 percent from this time last year, and, what’s more, the latest reporting from the Identity Theft Resource Center (ITRC) shows that of the 900 data breaches from January-August of 2017 – associated with some 16 million records – more than 25 percent of reported breaches are within the healthcare/medical industry.

A data breach is defined as an incident in which an individual name, plus a Social Security number, driver’s license number or a medical or financial record (credit/debit cards included), is potentially put at risk due to exposure. For firms in the medical industry, the cost for not protecting patient data is astronomical. According to the Office for Civil Rights, some $17 million in HIPPA (Health Insurance Portability and Accountability Act of 1996) violation settlements have been paid out in 2017 alone. Some of these settlements include:

  • $2.4 million – paid by Memorial Hermann Health System, a nonprofit health system in Texas
  • $2.5 million – paid by CardioNet, a wireless health services provider in Pennsylvania
  • $5.5 million – paid by Memorial Healthcare System, a nonprofit medical facilities operator in Florida
  • $387,000 – paid by St. Luke’s-Roosevelt Hospital Center Inc. (formerly Spencer Cox Center), a provider of comprehensive health services to persons living with HIV or AIDS, in New York

Penalties of this sort make the true cost of not protecting data clear to everyone. When fines can run into the millions, it can be fairly said that “an ounce of protection is worth a pound of cure” when it comes to healthcare IT security.

In addition to observing the privacy protections mandated by HIPAA, healthcare companies need to account for the HITECH Act (Health Information Technology for Economic and Clinical Health) of 2009, wherein organizations dealing with electronic Protected Health Information (ePHI) must put technical controls in place to ensure the security and privacy of patient data. Failure to adhere means severe consequences, just as with HIPAA. Failure to comply with the HITECH Act can result in penalties ranging from making a public acknowledgement of data exposure and paying fines of up to $1.5 million to the loss of government payments, such as Medicare or Medicaid, for healthcare services.

What is needed to prevent the financial and reputation damage of a data breach, then, is a comprehensive strategy upon which a compliance program can be built, along with a reliable set of security tools. Today, most organizations that deal with medical information use some sort of electronic health care system that combines the many facets of patient care, from intake and visits to follow-up care and billing, and these systems are generally designed for compliance. However, to provide complete coverage of the ePHI technical protections required for HIPAA compliance, organizations must protect more than just the healthcare system itself – because any systems where patient data can be accessed or stored must be protected.

This is where an overall security strategy becomes critical. Not only must data in transit be protected, it must also be protected at the endpoints. And not only your own endpoints – but also the endpoints of third parties that can access your data. Otherwise, they may put your company at risk.

These physical and network security concerns must also be backed up by a comprehensive security policy and plan that show the government that your organization has an “affirmative defense” for protecting patient data. When it comes to implementation of a complete IT security chain, key considerations include:

  • Protection – safeguarding all ePHI on computers, laptops and tablets, as well as removable media such as USB drives, and securing that data across communications networks
  • Compliance – meeting HIPAA and HITECH enforcement rules through policy control
  • Management – deployment and monitoring of compliance via management tools, typically cloud-based

These challenges are why so many healthcare firms look to outside companies to secure and manage the information under the purview of HIPAA and HITECH. IT departments are typically overtaxed and need to focus on their core mission, which is helping in the delivery of patient care. By leveraging secure, cloud-based solutions to protect critical data, healthcare companies can avoid “walking a tightrope” with data and personal information and taking unnecessary financial and public relations risks. The task of protecting personal data by implementing a complete IT security chain is not optional – it is essential.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months