Healthcare Data Breaches
Speaking in generalizations regarding the United States healthcare system, one of the biggest risks and threats to healthcare today isn’t the persisting human error and mistakes but the technology that is not catching up to the threats that are being placed against organizations. Although the same can be stated for many other industries and sectors today, data breaches have by far one of the greatest implications and effects in healthcare today be it with human error or large criminal attacks.
but the technology that is not catching up to the threats that are being placed against organizations.
Although security breaches are a large component of the healthcare threat to success, they wouldn’t happen if protected health information (PHI) was given a higher priority and asset valuation due to the importance and worth. In most cases, credit card numbers and financial information can be canceled and although the process may be a headache, it is possible to start over once again, however with “health records which can include your SSN, cannot be replaced and can lead to a greater and longer lasting impact” (Richards, 2015). In fact, the reason that criminals and hackers are targeting the healthcare industry is because patient records are valued at 50 times what a credit card number is worth. A lack of understanding of the implications from the human aspect of healthcare leads to large data breaches that can cost billions and fines as well as affect many people in the outcome due to leaked secure information. In an article written by RoyalJay, a software developing company, they state that “in the last two years, 94% of healthcare organizations have experienced a breach, with 40% reporting at least five breaches” (Richards, 2015).
Although criminal attacks have become the most common cause of data breaches in the healthcare industry, it isn’t always directly a criminal attack that has led to a data breach. In cases of personal devices and organizations that have a Bring Your Own Device policy, it often leads to unsecure and unencrypted personal devices that are accessing the information that needs the most security. Sometimes, criminal attacks are spurred by stealing smart phones or laptops in a healthcare industry, and since most users and employees typically either don’t know that their devices need to be encrypted or that they ignore such policies, thinking it couldn’t happen to them is a leading cause to data breaches and information security mistakes.
Source: Royal Jay
Some policies that can be further enforced or implemented are for greater resources, time allocation and attention to prevent or quickly detect unauthorized patient data, access, loss or theft. Aside from criminal attacks, the next leading cause of healthcare breaches is the physical theft of devices with sensitive medical record data. Often times lacking proper encryption, these devices typically personal are stolen and the protected health information is directly accessed. As a result, one policy would be to limit personal devices (BYOD – Bring Your Own Device) or to enforce and mandate encryption on these devices in order to protect PHI data files. However, on the other spectrum it is also up to the Health IT industry to further encrypt and protect data and not have all of the responsibility lie with the end user. Nonetheless, a policy is only as effective as its most non-compliant end user so it is important to train, educate and make employees aware about the severity and gravity of data breaches. It is shown in the infographic provided by RoyalJay, that only 77% of healthcare organizations require both security and privacy training, and 41% of those organizations don’t encrypt their data as necessary either.
Further actions are to implement technical controls to minimize the security and compliance risk such as prevention software, two-factor authentication, and logging and monitoring software. Not only is it important to ensure that devices and the end-user has the proper security and privacy training in regards to encryption and meaningful use, but it is also on the vendor responsibility as well to have more protocols and standards in place for encryption. Although it leads to a gamut of problems with standardization of encryption to allow for interoperability, there have been many organizations and groups that are pushing for a standard in regards of encoding the patient data to allow for interoperability in between different healthcare systems. Other actions can be operational and administrative by implementing oversight committees and groups and to have a continually updated awareness and training program. Through these controls and actions, it is important to integrate the information security aspects and strategies in line with the organizational operations in order to have a well integrated scope and understanding on a technical and administrative standpoint.