How to Prevent Healthcare Data Breaches (and What to Do If You're a Victim)
Personal health information is worth 50 times more to thieves than credit card or Social Security numbers, so it's no surprise that healthcare organizations are prone to data breaches. Preventing them is difficult, and so is mitigating the damage they can cause. Here experts discuss how organizations can avoid breaches and a nonprofit that suffered a breach in 2011 explains how it responded.
Thu, December 20, 2012
Speaking at the Privacy Security Forum, Leon Rodriguez, director of the Office for Civil Rights, agrees that encryption technology is key to avoiding breaches. (Under 2009's HITECH Act, the loss of encrypted PHI, or of encrypted hardware that contains PHI, is not considered a data breach.) Training matters, too, he adds, as there is always "some human frailty" to a data breach that's unrelated to technological vulnerabilities.
HIPAA Business Associates, Hackers Need an Organization's Careful Attention
The HITRUST report notes that data breaches involving HIPAA business associates—which, as noted, HIPAA-covered entities are responsible for—have accounted for 21 percent of breaches in the last three years and 58 percent of the records lost. This points to a need for "proactive due diligence," Hourihan says. It's been a problem, and it will continue to be a problem, because businesses sign a contract and then don't do anything else."
To combat this issue, healthcare organizations should first ask for a business associate's most recent security audit and risk analysis and then work with the BA to fill the gaps that could result in a data breach. Since some providers have hundreds, if not thousands, of BAs, Hourihan suggests giving the most attention to electronic health record vendors, vendors that support critical business functions and other companies that interact with customer data.
Healthcare organizations also need to be aware of hackers. While hacks account for only 8 percent of reported data breaches, Hourihan thinks the actual number is higher, as HITRUST has seen PHI for sale on underground message boards that often can't be tied to a reported breach. With PHI worth up to 50 times more to hackers than credit card or Social Security numbers, Hourihan and HITRUST expect to see a "pretty significant rise" in hacks in years to come.
David Harlow, principal of The Harlow Group LLC, acknowledges that the industry "collectively need[s] to do a better job cracking down on those exploits."
Doing so requires a mix of technology, education and leadership. For Rodriquez, it's that final point that matters most—not just for preventing hacks but also for preventing data breaches and doing the sort of due diligence that MAeHC did in order to avoid an OCR fine. "It comes down to leadership owning compliance issues and doing so consistently. It's that leadership that makes all the difference," he says.