With new threats emerging every day, all healthcare organizations, regardless of size, are at risk for data breach. The industry has seen 16 breaches—with more than 500 individuals in each incident—in the last 16 months. Of those 16, some were from hacking, some were from theft of equipment (portable items such as external hard drives, flash drives, and laptops), two were “unauthorized access” incidents, and at least one was a compromise of paper.
As the number of data breaches in healthcare surges, so does the cost of remediation, according to the latest Ponemon Institute study, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data sponsored by ID Experts®. In fact, the report shows 91 percent of healthcare organizations had at least one data breach. Healthcare data breaches are costing the industry $6 billion annually—startling statistics to say the least.
This year, the study was expanded beyond healthcare provider organizations to include business associates (BAs) to show the impact that third parties have on the privacy and security of healthcare data. Over the past two years, 65 % of healthcare organizations and 87 % of BAs experienced electronic information-based security incidents. Here’s a summary of other key takeaways:
- Criminal attacks are the new leading cause of data breach in healthcare, up 125 % compared to five years ago, replacing “lost laptops” as the leading threat. As the root cause shifts from accidental to intentional, more breaches are attributed to a “trusted insider.”
- Most organizations are unprepared to address new threats and lack adequate resources to protect patient data. One third of respondents have no incident response process in place, and most have not performed a risk assessment, despite the federal mandate to do so.
- The threat of medical identity theft to breached individuals is growing—up by 22 % from last year—yet certain harms are not being addressed. According to the Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft has nearly doubled in five years, from 1.4 million adult victims to more than 2.3 million in 2014.
Personal health information will continue to be a lucrative business for cyber criminals until healthcare providers invest in processes and technologies to protect healthcare data and prevent attacks. Media coverage of mass breaches and the focus on information governance in healthcare are pushing toward this goal. Otherwise, organizations are at high risk of being the next day’s headline news.
Other News and Updates
Phase 2 HIPAA audit questionnaires have been sent out to selected healthcare providers, signaling that the Office for Civil Rights (OCR) is finally preparing for the long-delayed audits. However, it’s still anyone’s guess when the next round will actually begin. According to one OCR official, a variety of new HIPAA-related guidance is in the works. Once again, stay tuned.
These issues will be addressed along with other featured topics—information governance, audit management, compliance and legal issues, risk assessment and more—at the upcoming HealthPort HIM Educational Summit, July 26-29. Hope to see you there!