A recent data breach study estimates that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward more connected care, the amount of data exchanged between organizations will only grow. This is exacerbated by more consumers entering the market because of healthcare reform and the frequency with which patients need to exchange information among numerous providers. This area is a rich target for anyone intent on stealing PHI for financial gain. Many agree that data breaches are inevitable.
Security preparedness varies greatly among healthcare organizations. An FBI report from 2014 warned healthcare providers that their cyber security systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for personal medical records and health insurance data. According to the Ponemon Institute, 72 percent of healthcare organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data.
Protecting this information is critical to any business and you need to take a layered approach to security to prevent theft. Remember that your most valuable asset is the data, not the systems or devices it resides on. With more data generated everyday and more people needing access to it, if you haven’t looked into secure ways of accessing and sharing that data among patients, providers and payers, you may be behind.
How do you combat the problem and close the security gap? Here are a few steps to proactively address the problem:
Encrypt your Data
According to a 2014 Healthcare Breach Report, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss. The headlines make it appear that hackers are attacking databases, but the reality is most of the problems are from unstructured content inside documents. And those documents are not encrypted. Encrypting your data is vital to protecting you and your patient’s information. This is no longer an option, but a requirement. Recent privacy and security laws, like those from NJ, are mandating that insurance carriers must encrypt personal information. This will logically include anyone that deals with the carriers and handles PHI.
Prevent Unauthorized Access
Many organizations will apply basic data encryption or end-point encryption to meet the letter of the law. If your encryption is only active while on a device, you have a vulnerability as soon as someone shares the information. You need to prevent any unauthorized person from accessing the information regardless of its location or format. Applying dynamic security policies to persistently protect the information is critical. Make sure only those needing access to PHI have it.
Train your Staff
Everyone with access to PHI, from the executives to the janitorial staff, needs to be fully trained on all HIPAA regulations and requirements. This includes contractors, since you may be responsibility for the security of your information as you share it with third parties. As state privacy laws and data breach regulations continue to mature, ask your legal department to keep you up to date. Training your staff on current regulations protects information shared within your organization and as it’s shared with outside parties,
Conduct Annual Risk Analysis
HIPAA regulations require your organization to conduct and document a comprehensive risk analysis every year. The analysis should assess your health information management systems and all processes related to creation and access of PHI. Understanding and remediating your security vulnerabilities needs to be at the top of the list of actions.
As the recent data breaches at Anthem, Premera Blue Cross and Advantage Dental illustrate, data breaches are inevitable and you need to proactively try to prevent them. The value of your patients’ healthcare and insurance data and the value of your business is at stake. Lock down your data, control its access at all times and ensure that everyone who touches it understand how to protect it.