How to Prevent Healthcare Data Breaches (and What to Do If You're a Victim)
Personal health information is worth 50 times more to thieves than credit card or Social Security numbers, so it's no surprise that healthcare organizations are prone to data breaches. Preventing them is difficult, and so is mitigating the damage they can cause. Here experts discuss how organizations can avoid breaches and a nonprofit that suffered a breach in 2011 explains how it responded.
News: HITRUST Builds Cybersecurity Threat Center
Speaking at the Privacy Security Forum, Leon Rodriguez, director of the Office for Civil Rights, agrees that encryption technology is key to avoiding breaches. (Under 2009's HITECH Act, the loss of encrypted PHI, or of encrypted hardware that contains PHI, is not considered a data breach.) Training matters, too, he adds, as there is always "some human frailty" to a data breach that's unrelated to technological vulnerabilities.
HIPAA Business Associates, Hackers Need an Organization's Careful Attention
The HITRUST report notes that data breaches involving HIPAA business associates—which, as noted, HIPAA-covered entities are responsible for—have accounted for 21 percent of breaches in the last three years and 58 percent of the records lost. This points to a need for "proactive due diligence," Hourihan says. It's been a problem, and it will continue to be a problem, because businesses sign a contract and then don't do anything else."
To combat this issue, healthcare organizations should first ask for a business associate's most recent security audit and risk analysis and then work with the BA to fill the gaps that could result in a data breach. Since some providers have hundreds, if not thousands, of BAs, Hourihan suggests giving the most attention to electronic health record vendors, vendors that support critical business functions and other companies that interact with customer data.
Healthcare organizations also need to be aware of hackers. While hacks account for only 8 percent of reported data breaches, Hourihan thinks the actual number is higher, as HITRUST has seen PHI for sale on underground message boards that often can't be tied to a reported breach. With PHI worth up to 50 times more to hackers than credit card or Social Security numbers, Hourihan and HITRUST expect to see a "pretty significant rise" in hacks in years to come.
David Harlow, principal of The Harlow Group LLC, acknowledges that the industry "collectively need[s] to do a better job cracking down on those exploits."
Doing so requires a mix of technology, education and leadership. For Rodriquez, it's that final point that matters most—not just for preventing hacks but also for preventing data breaches and doing the sort of due diligence that MAeHC did in order to avoid an OCR fine. "It comes down to leadership owning compliance issues and doing so consistently. It's that leadership that makes all the difference," he says.
Brian Eastwood is a senior editor for CIO.com. You can reach him on Twitter @Brian_Eastwood or via email. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.
Google I/O 2013's Coolest Products and Services
How to Prepare for Windows 8 (Just in Case)
Mobile EHR Help eClinicalWorks Put Patients First
5 New Gmail Tips for Power Users 
