Healthcare providers today are under intense pressure to ensure that their patients’ private information — personally identifiable patient information, healthcare treatment and medical history — remains secure. The new reality is security breaches are occurring with alarming frequency. In fact, the research firm IDC estimates 50 percent of healthcare organizations experienced between one and five cyber attacks in 2014.
And a recent study from the Ponemon Institute, sponsored by ID Experts, paints an even grimmer picture. Their research concludes that 91 percent of organizations have suffered a data breach in the past two years, 39 percent have experienced more than two and 40 percent have suffered more than five.
The stakes are incredibly high for healthcare companies — a loss of data will destroy patient trust, causing them to search for other providers that they believe can keep their information secure. And there are significant penalties that can be levied for not keeping patient data secure.
The Office of Civil Rights can fine organizations that do not take the proper precautionary security measures up to $1 million for a data breach. OCR’s stiffest penalty was issued last May, when it hit New York-Presbyterian Hospital and Columbia University with fines totaling $4.8 million for failing to secure the electronic health records of 6,800 people. While the federal government has only issued fines for 22 data breaches to date, healthcare organizations should be proactive about improving healthcare data security.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted as a broad Congressional attempt at healthcare reform — primarily to ensure the security and confidentiality of patient information — and to mandate uniform standards for electronic data transmission of patient health information.
In 2010, the Affordable Care Act brought a surge in the amount of patients with electronic health records. This has exponentially increased the amount of information that organizations storing healthcare data must secure, making their task that much more challenging.
Here are a few areas to examine for improving your healthcare data security:
Don’t neglect encryption
Granted, it’s not always cheap to encrypt data – the totals can run into the $100s per user, but it’s worth it. Robust encryption can insulate you from HIPAA fines and provides an added layer of security that helps foster trust with your patients — making the investment for encryption well worth the cost.
Strengthen data management policies
While controlling the end user can be difficult, companies can mitigate their risks by putting security systems in place to help keep users from doing improper things with data. For instance, there are some networks that will allow a doctor to download patient data to Dropbox. That’s a big no-no. To make sure patient information is secure, organizations need to develop strong data management policies to minimize healthcare data breaches.
Educate the end user
Talk to most cybersecurity experts and they will tell you the same thing: cyber breaches typically start with people. For all the stories of sophisticated hackers, data is typically put at the most risk by ordinary employees being careless or ignorant to the risks.
Instead of just telling doctors not to use Dropbox, explain why it is harmful. Be proactive and provide them with secure tools to achieve their objectives so they won’t resort to unsafe and dangerous methods that put patient data at risk.
Review physical access controls
While managing the risk around physical security in a hospital can be a daunting task, don’t neglect strong physical access controls and policies. While the majority of healthcare information is stolen online, there are cases where data centers were physically broken into and the servers containing valuable information were stolen.
Malicious intruders might include a disgruntled former employee corrupting networks to allow outside access or providing credentials to criminals. It’s imperative that your facility has the right robust physical security protocols in place to monitor the actions of everyone that comes in contact with the building — even your own employees.
What this means for you and your patients
If you carefully consider and implement the controls and strategies discussed here, you will be better prepared to protect your organization’s healthcare data. Data breaches have become an all-too-common experience, but with the right preparation you can greatly reduce your organization’s risk of being breached and/or penalized which could result in even greater financial losses due to the mass departure of patients. Taking appropriate security measures gives your patients confidence that their data is secure and increases the security of your business.
Thomas Lewis is a partner-in-charge of LBMC Security & Risk Services.