Question

More than half of the healthcare organizations have little or no confidence that their organization could detect a data breach. How can an organization increase that confidence?

Answer 1

The privacy of personal health information pertains to the collection, storage, and use of personal information and addresses the question of who has access to personal information and under what conditions.

Confidentiality addresses the issue of how personal data that have been collected for one approved person may be held and used by the organization that collected the data, what other secondary or further uses may be made of the data, and when the permission of the individual is required for such uses.

Security - “The procedural and technical measures required (a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) to prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm”.

Mistakes—unintentional employee actions, third-party snafus, and stolen computer devices—are cited as the root cause of the other half of data breaches. The findings indicate that many healthcare organizations and their third parties (business associates or BAs) are negligent in the handling of sensitive patient information. They also lack the budget, people resources, and expertise to manage data breaches caused by employee negligence and evolving cyber threats, including the newest threat cited: ransomware.

Data breaches in healthcare are costing the industry $6.2 billion, and remain consistently high in terms of volume, frequency, impact, and cost—and have yet to decline since 2010—despite a slight increase in awareness and spending on security technology. While recent large healthcare data breaches have heightened the industry's awareness of the growing threats to patient data and have led to an improvement in security practices and policy implementation, respondents say that not enough is being done to curtail or minimize the risks. Nearly half of healthcare organizations, and more than half of (business associates) BAs, have little or no confidence that they can detect all patient data loss or theft. "Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem."

This is about real people and the exposure of their sensitive information. The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures.

Data breaches in healthcare remain consistently high in terms of volume, frequency, impact, and cost. Healthcare organizations are experiencing a greater volume and frequency of data breaches; suffering multiple data breaches each. Eighty-nine percent of healthcare organizations and 60 percent of BAs experienced data breaches over the past two years. Seventy-nine percent of healthcare organizations experienced multiple data breaches (two or more) in the past two years—up 20 percent since 2010. More than one-third, or 34 percent, of healthcare organizations experienced two to five breaches. Nearly half of healthcare organizations, or 45 percent, had more than five breaches. Medical records are the most commonly exposed data, followed by billing and insurance records, and payment details. While the majority of breaches are small (under 500 records) and are not reported to the U.S. Department of Health and Human Services (HHS) and the media, the financial impact is significant. The total economic impact of data breaches is $6.2 billion to the healthcare industry.

Newest cyber threat: ransomware. Criminal attacks are up and are, once again, the leading cause of data breach among healthcare organizations, causing half of all data breaches and causing 41 percent of data breaches among BAs. Mistakes cause the other half of data breaches in healthcare. Based on the research, mistakes are classified as third-party snafus, stolen computing devices, and unintentional employee actions. The most concerning cyber threats among the healthcare industry are ransomware, malware, and DoS attacks. DoS attacks have been around a long time but continue to be prevalent. Ransomware is the newest cyber threat and concern. Other top concerns to patient data are employee negligence, mobile device insecurity, use of cloud services, malicious insiders, and a growing concern about mobile apps (eHealth)—up from six percent to 19 percent.

Healthcare industry is more vulnerable to data breach than other industries. Healthcare organizations believe they are more vulnerable to data breaches than other industries. Healthcare organizations have massive amounts of valuable data and often lack a strong security infrastructure and sense of accountability. Additionally, there are lots of "data touch" points, including multiple employees and third parties. The findings indicate that employees at healthcare organizations and their BAs are negligent in the handling of patient information and are not vigilant in protecting that information. Six years after the initial study, healthcare organizations are still stymied by the lack of resources and are not investing in technologies to mitigate a data breach. In fact, 59 percent of healthcare organizations and 60 percent of BAs don't think their organization's security budget is sufficient to curtail or minimize data breaches. The findings also reveal that BAs and healthcare organizations point their fingers at each other. Healthcare organizations say that third parties and partners are not doing enough, and BAs say that healthcare organizations are not investing in technology and employees are negligent.

Patients are suffering the effects of data breaches; increased awareness of medical identity theft cases. The research indicates that more healthcare organizations and BAs are aware of medical identity theft cases that have occurred internally since last year's study. Thirty-eight percent of healthcare organizations and 26 percent of BAs are aware of medical identity theft cases affecting their own patients and customers. Healthcare organizations and BAs both agree that patients suffer an increased risk of medical identity theft and financial identity theft if their records are exposed. Despite the known risks, 64 percent of healthcare organizations and 67 percent of BAs don't offer any protection services for victims whose information has been breached. Fifty-eight percent of healthcare organizations and 67 percent of BAs do not have a process in place to correct errors in victims' medical records. Errors in medical records can be detrimental to a patient, putting the patient at risk. Such errors can leave a patient vulnerable to receiving the wrong medical treatment or obtaining the wrong medications. If an identity thief uses a patient's name or health insurance number in order to receive medical care, the patient's health history and record will get mixed with the thief's, potentially causing harm to the patient.

Healthcare organization must ensure a timely and appropriate response in the event of a data security breach:

1. Identify vulnerabilities
The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach, as well as its origin.

There are several questions you’ll need to answer:

• Who is responsible for the breach – internal personnel or external hackers?
• When did the breach occur?
• How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
• Was any ePHI compromised?

2. Seek professional legal and security counsel
Seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft documentation and communications related to the breach. They can also provide advice on how to handle people affected by the data leak and help prepare you for the potential of liability lawsuits. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach.

The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

3. Notify appropriate parties
The HIPAA Breach Notification Rule requires all healthcare organizations that experience an ePHI security breach to adhere to a strict breach notification process. In short, covered entities (and their business associates) must notify all affected individuals and the Secretary of HHS. In addition, facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach.

Notifications must be provided in a timely manner – within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it’s considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation.

Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

4. Address risks
While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks.

Some remediation actions to consider include:

• restoring data from clean backups
• reformatting hacked devices, and
• updating all accounts with new, secure passwords.

5. Manage resulting consequences
Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation. However, if you can smoothly manage the fallout by following these five steps, you’ll be on your way to repairing relationships and rebuilding trust in your organization.