Data breaches target businesses and organizations from every industry, and the healthcare industry is not spared. Patients’ sensitive medical records are at risk of being exposed to the public, or being used by cyber crooks to blackmail helpless victims. Moreover, the damages that breaches stands at an average of $5.9 million. Without a doubt, breaches is a serious issue and must be dealt with by all industries.
The Secretary of the United States Department of Health and Human Services, as required by Section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH ACT), maintains an online list that reports breaches in health information that affect 500 or more individuals. You may find the list of breaches here. In this list, you may see just how prevalent data breaches in the healthcare industry is.
President Barack Obama signed the HITECH Act law in 2009 by to stimulate the adoption of electronic health records and supporting technology. Subtitle D of the Act is concerned with privacy and security of electronically transmitting health information. In essence, it strengthens the enforcement of the Health Insurance Portability and Accountability Act of the HIPAA, the prevailing US legislation that safeguards data privacy and security of medical information. President Bill Clinton signed the HIPAA law in 1996.
According to Forbes, data breaches of health information in 2015 affected over 112 million records. Perhaps the biggest is the data breach of Anthem, Inc. in February. Anthem initially reported that hackers stole over 37.5 million records when they broke into the servers. They then raised the numbers to 78.8 million and stated that the breach extended to Anthem's brands to which Anthem, Inc, markets its plans. Anthem concluded that medical records and financial information were not affected, but they were able to steal personally identifiable information such as names, birthdays, home addresses, e-mail addresses, social security number, employment information, and medical IDs. The stolen information can be used by the crooks for identity theft, or to blackmail the victims.
In this light, here are six tips on how organizations and business from the healthcare industry can avoid data breaches:
One of the causes of data breaches is human error. To eliminate this, healthcare organizations must provide proper training on regulations and protocols related to data privacy and security. Even more support must be given to employees who are using mobile devices because they are exposed to more risks. Ensure that employees don’t store data on unsecured drives and other devices.
Your employees have a major role in keeping your data private, make sure that they keep that in mind.
Outdated operating systems and applications are exposed to more risks than updated ones. Remember to update your systems to ensure that you have the highest level of protection available for patches try to cover all identified threats. Sure, updates can sometimes take a while to download and install, but keep in mind the benefits that these entail. So don’t be annoyed, system patches are there to help you!
Some healthcare institutions employ the services of third party vendors of data storage systems. When choosing your partners for data storage, make sure that they observe the best practices in keeping data secured at all times. Furthermore, ensure that your data storage vendor are HIPAA-compliant.
Some organizations implement a “Bring Your Own Device” policy out of the idea that they can save up to $900 a year per employee in doing so. But what is saved in company equipment costs is overshadowed by the risks that doing so carries as it is difficult to maintain the highest security measures to personal devices. Think the policy it over. Are the perceived savings worth the increase security risk?
Security assessments done on a regular basis can help solve risks before they become actual threats. Third party security assessors can provide a holistic picture of where your weaknesses are, and how you can address them. Moreover, these organizations are up-to-date with the solutions and the policies involved in preventing and countering security risks.
When you partner with external organizations to do specific tasks for you, ensure that they do so properly. We mentioned this for data storage already, but other facets of the organization may also pose risks when entrusted into the wrong hands.
Take for example Travelers Casualty and Surety Company of America’s suit against Ignition Studio, its web designer, where the Insurance company claims that the designer failed to install even the basic anti-malware and encryption on the server of Alpine Bank, as well as to install software patches, which gave way to the breach.
Healthcare organizations must take into consideration that they hold highly confidential information and that they ensure data privacy at all times. In partnering with third party organizations, make sure that they understand this, and that they should provide the highest level of security that they can.
We must accept that evildoers will always be there so we should do our part to keep our data away from them. As David Brin said,
“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. “
We are primarily responsible for keeping our own data secured so keep the entire organization educated about measures to do so. Employing preventive measures will not guarantee that your data will never be breached, but it will be hard for the cyber crooks to do so if you follow the best practices in keeping a solid data security.
In the end, preventing a data breach from happening is so much more efficient than fixing the damages that will occur when the worst case scenario comes. Patients are entrusting healthcare institu tions not only with their well-being, but also with the privacy of their medical records so give much attention to keep health information safe by following our six tips above.
This post is brought to you by Kenneth Sytian of Sytian Productions.