With the increasing frequency of data breaches across many industries - and the financial impact of spiraling costs required to deal with the aftermath of a breach - the threat of cyber attacks continues to pose a significant danger to organizations and consumers alike.
The healthcare industry is uniquely vulnerable to cyber threats. The sensitivity of the information held on their systems means that the cost of dealing with a breach is significantly greater than in any other industry. In the 2018 Cost of Data Breach study by the Ponemon Institute, healthcare suffered the highest per capita data breach cost, at $408. This was almost double the amount compared to the financial sector, which had the second highest per capita cost ($206).
In this article, we’ll look at statistics surrounding data breaches in healthcare, and explore how healthcare providers can ensure the integrity and security of their systems.
Why is data security important for healthcare providers?
Due to the sensitive data collected and stored by healthcare providers, the penalties for data breaches can be severe and cause significant financial and reputational damage. In 2016, Advocate Health Care Network paid $5.55 million to the U.S. Department of Health and Human Services to settle potential HIPAA violations, and over $28 million was paid to HHS in HIPAA fines last year.
According to HIPAA Journal, in 2018, there were eighteen separate data breach incidents where over 100,000 records were lost or stolen. The biggest of these - in which billing vendor AccuDoc Solutions was hacked - resulted in the records of 2.65 million Atrium Health patients being exposedfor a week.
Healthcare breaches cost the industry $6.2 billion annually, in addition to the inevitable negative press coverage and the erosion of consumer trust.
Which types of information are at risk in a data breach?
Examples of the information held by healthcare organizations which could be at risk of exposure from security breaches include:
- Name
- Identification number (such as a Social Security Number)
- Date of birth
- Bank account information
- Credit card details
- Patient health records, medication history and other healthcare information
- Health insurance plan information
- Medicaid identification number
The theft of even just one element from the list above could be enough to trigger a full-scale identity theft for an individual whose information is compromised.
With the number of healthcare records exposed in 2018 totaling almost ten million, it has never been of greater importance for providers to put a serious emphasis on robust security measures to prevent unauthorized access to health information.
What are common reasons for data loss amongst healthcare providers?
As is the case in every industry, healthcare is not immune from the dangers posed by hackers, phishing, human error or internal misuse of data - all of which can contribute to the increased probability of data loss.
Verizon recently published their 2019 Data Breach Investigations Report which contained additional insights into the reasons for breaches in healthcare security. The report found that hacking and the use of stolen credentials was the most common reason for data loss, such as phishing emails which fool users into providing their email credentials on a fake website. The information is then used to access the user’s cloud-based email account, which can be used to access patient data sitting within the inbox or other folders.
In addition, the report states internal members of an organization are the most common ‘threat actors’ to healthcare providers, listing human error and sending healthcare data to the wrong recipient as common causes of data breaches.
The report highlights that data breaches can affect healthcare providers in a number of ways, but there are best practices for organizations to follow which can reduce unnecessary security risks.
What steps can healthcare providers take to stay secure?
Prioritizing security measures is essential for any organization that deals with confidential or private information - but the evident risk to healthcare providers means that a number of measures must be taken to protect patient details.
If you work in a health-oriented organization, think about how many of the following steps your business is taking to ensure you are keeping patient details safe and secure:
- Carry out a risk assessment. The first step is to assess your existing set up, and identify any potential danger zones or access points for hackers or cybercriminals.
- Improve and maintain network security. Ensure that there are no vulnerabilities in your system by regularly updating anti-virus software and implementing cutting-edge security solutions.
- Train your employees. With so many incidents arising as a result of internal misuse, provide training and information to your employees to ensure they are aware of best practices for data security in the organization.
- Destroy unnecessary data. Securely dispose of all confidential information when it is no longer required, including physical and digital data.
- Protect payment information. Use processes such as tokenization (anonymizing credit card information using algorithmically generated numbers which cannot be traced back to the original details) to protect the payment details of your consumers.
If you haven’t already, putting in place a strategy to meet the guidelines for PCI compliance will also improve the overall information security of your organization and significantly reduce the chance of a data breach, which could result in a damaging loss of customer information.
Healthcare providers shouldn’t take risks
Media coverage of data breaches are becoming commonplace, and even the aftermath can linger for years after the original event. Recently, two Chinese individuals were found guilty of hacking into Anthem Inc - five years after the breach took place.
Risk management and ensuring that consumer data doesn’t fall into the wrong hands should be a priority for every business, but this is of particular importance in the healthcare sector, given the sensitivity of the information handled at all organizational levels.
Healthcare providers must place security awareness - from preventing unauthorized access to medical data, to the protection of customer payment credentials - at the top of the priority list.