Are Health Organizations Keeping Patient Data Safe?
A few figures released over the last week paint a dismal picture of the state of information protection in the healthcare industry. More than 20,000 patient medical records were exposed in yet another hospital data breach. A report from the Health and Human Services Department (HHS) found that more than 7.8 million people had their medical information compromised in more than 30,500 breaches since the enactment of HITECH , while a report from the Digital Forensics Association shows that disclosure of health industry data breaches has increased markedly during this same timeframe.
By the numbers, it would seem that the healthcare industry is in crisis when it comes to protecting patient data, and it’s costing them. According to the Ponemon Institute 2011 U.S. Cost of a Data Breach study, sponsored by Symantec, health data breaches cost $301 per lost record, which is 40 percent higher than average. Contributing to the higher cost is compliance with data protection regulations that requires health organizations to do more to find, disclose and fix breach-related problems. In addition to disclosure laws in 49 states, healthcare organizations also must comply with HIPAA and HITECH.
Understandably, healthcare organizations like financial institutions face stricter regulation and disclosure requirements, which may contribute to perception that there are more breaches in these industries. What’s more likely is there are simply more ‘reported’ breaches and more headlines. But that’s not to say that the problem is overstated.
Curious Insiders and Health Data Breaches
Another report announced last week indicates that 71 percent of healthcare providers reported at least one medical records security breach in the prior year. What’s even more interesting, the majority of breaches were insiders snooping into the records of coworkers, friends and family. The same report found that loss or theft of equipment containing PHI caused 20 percent of breaches.
On the other hand, nearly half of the major data breach incidents, those affecting more than 500 records, reported to HHS resulted from theft, including stolen electronic equipment such as network components, laptops or hard drives.
Rx to Reduce Risk of Breach
For all the good that healthcare IT systems and electronic medical records bring to patients and providers, they also bring significant risk if not managed appropriately. Mishandling of patient data can lead to identity theft, regulatory issues, fines and more. Healthcare organizations need to make sure that the right people have access to the right data for the right use.
By creating a culture of security through training, policies and actions, organizations can help to reduce their risk of data privacy violations. At the same time, it’s important that organizations avoid demonizing the individual and assuming his or her actions were malicious. Instead, the organization should help to educate the insider on proper security procedures and policies.
A complete prescription to avoid data loss will also include technology solutions. Symantec recommends healthcare organizations consider the following to further reduce their risk of data breach:
- Assess risks by identifying and classifying confidential information
- Educate employees on information protection policies and procedures, then hold them accountable
- Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
- Deploy data loss prevention technologies which enable policy compliance and enforcement
- Proactively encrypt laptops to minimize consequences of a lost device
- Implement two factor authentication
- Integrate information protection practices into businesses processes
What has been your biggest challenge in protecting patient health data?
John Gobron is the national healthcare director at Symantec and has more than 15 years of experience in the healthcare industry.
Hi, nice article. Here’s some free best practice advice for the healthcare industry: http://bit.ly/nR7qBj when it comes to managing the risk of the devices. As we all know, theft of a laptop is according to many researchers, the leading cause of data breaches.
Great post– no doubt, healthcare is a vertical that is extremely hard-hit by efforts to breach confidential personal records, both from the outside and the inside. While internal education, policy enforcement, along with network and endpoint security are critical components of a strong overall data security posture, a dedicated database security solution is an often-overlooked asset which provides the necessary last line of defense when firewalls are compromised and network security or authentication measures are bypassed by a hacker or rogue insider. The vast majority of sensitive records are contained in databases, and that makes them prime targets for information theft. Research shows that the largest breaches, representing 75 percent of records compromised, come from databases, based on a study done by Verizon in April of 2009. Unfortunately, databases are left largely unprotected in many organizations because of the heavy reliance on network security and firewalls, and the fact that traditional methods to patch the database with security updates from the database vendor require costly downtime; a process which is often put off, much to the chagrin of the organization’s compliance team. Those interested in reliable real-time protection for databases as part of a complete data security strategy should visit http://www.mcafee.com/dbsecurity.