by Brad Oliger, Deployment Technician
The business and financial impact of health record data security breaches has garnered the attention of most within the medical industry. A 2014 report on Patient Privacy and Data Security from the Ponemon Institute estimates the cost of data security problems within the healthcare industry to be $5.6 billion. The reason for the trend? Hackers are making more money from personal health information (PHI) than credit card information and they are finding hospitals and healthcare providers to be much easier targets.
Cybercriminals are being paid as much as $20 for health insurance credentials in some underground markets, compared with $1 to $2 for U.S. credit card numbers, according to the findings of cybersecurity firm Dell SecureWorks. The demand for PHI remains strong in criminal marketplaces, according to experts, partly because it takes victims longer to realize and report that their information has been stolen, and because of the different ways the information can be used.
Earlier this year, the FBI issued a notice to healthcare companies stating that the industry “is not as resilient to cyber intrusion compared to the financial and retail sectors.” Healthcare practices can shore up potential vulnerabilities by:
Understanding the value and impact of protecting records
PHI theft opens the door to a variety of types of fraud including identity theft, fake billings, and receiving healthcare under false identities, to name a few. The financial impact of record negligence for a healthcare provider can continue to accumulate after a breach. Following a recent breach of 4.5 million patient records, corrective actions cost Community Health Systems millions. Hackers gained access to names, Social Security numbers, physical addresses, birthdates and telephone numbers. Just a few of the contributors to that loss were:
- Remediation (technical, legal and administrative)
- Fines associated with Health Insurance Portability and Accountability Act (HIPAA) violations
- Identity theft protection (or credit monitoring) for 4.5 million patients
- Legal defense against both patient and shareholder lawsuits (and settlements)
- The incalculable cost to the healthcare system for insurance fraud stemming from the theft of information from 4.5 million patients
One cannot assume everything in their practice is secure. Properly identifying what puts a practice at risk is crucial for greater protection against PHI theft. Questions need to be asked and policies need to be put in place to recognize vulnerabilities and ensure best practices are maintained.
- Identify information that is susceptible to theft and formulate a solid encryption policy for that data.
- Determine where portable items with sensitive material are stored and ensure there is proper physical security.
- A computer network provides access from the outside world to the inside of an organization and must be secured with commercial grade firewalls and monitoring.
- Critical data must always be recoverable. If it isn’t, development of proper data loss prevention methods and practices is imperative.
- The human element also provides one of the biggest risks. Pre-employment background checks can assist in weeding out those likely to be involved in potential data breaches.
- Proper security training and policies help to prevent the misuse and mishandling of sensitive information.
Invest in data security and make it a corporate culture
Recognizing what needs to be done to protect a practice is one thing, actually executing it requires the commitment of time, money and other resources. The first step is to develop a security plan. There are a number of security checklists available online. Click here for HealthIT.gov’s CyberSecurity recommendations.
When budgeting for necessary improvements, it is important to remember proper investments will go a long way toward protecting a practice from a potential breach that could cost both its reputation and financial stability. A reputable technology firm can offer healthcare providers the security and IT expertise needed to help create a comprehensive data protection plan.
For more information, contact us.