Blog

Tag: HIPAA

Will Healthcare Data Breaches Increase in 2016?A recent article in Forbes addresses the massive healthcare data breaches in 2015 where over 112 million records were lost, stolen or inappropriately accessed.  The Office of Civil Rights (OCR) under the department of Health and Human Services publishes these data breaches as reported to it and required by HIPAA.  The numbers are a bit staggering.  The top ten data breaches accounted for the majority of the violations and most of the headlines focused on hackers.

While hackers breaking into systems make the headlines, there are also a large number of data breaches as a result of negligence, lost or stolen devices and basic human error.  A data breach study from 2015 estimates that breaches cost the healthcare industry about $5.6 billion annually.  While companies like Anthem may have insurance against this type of loss, you can bet those premiums are passed along to consumers through rising healthcare insurance and other increases.

As healthcare moves toward connected care, the amount of data exchanged between organizations will only grow.  So what does this mean?  It means that in 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs and other vulnerable PHI.

According to a 2014 Healthcare Breach Report, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss. The headlines make it appear that hackers are attacking databases, but the reality is most of the problems are from unstructured content inside documents – and those documents are not encrypted.  Encrypting data is vital to protecting patient information.  Recent privacy and security laws, like those from New Jersey, are mandating that insurance carriers must encrypt personal information. This will logically include anyone that deals with the carriers and handles PHI.

Can we expect more of the same in 2016 or will healthcare providers and anyone dealing with PHI begin to see the light?  Legislation is getting tougher and consumer outcry may help turn the tide.  As credit card data becomes less valuable, PHI becomes more valuable.  Anthem may have insurance that covers their losses, but once your healthcare records are compromised, it’s difficult to stop the bad guys from causing you financial and legal pain.

 

Photo credit Intel Free Press

Common Headline in 2015: Healthcare Data Breach

How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.

What was the cause? An email was mistakenly sent to a “contracted provider”.

We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.

In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.

Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.

How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.

Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:

 

· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation

· Secure files downloaded from heath information systems

· Control who can View, Edit, Print and take a Screen Capture of protected documents

· Dynamically control who can access the file

· Trace and control user/file activities in real-time

· Scan files to identify PHI and apply security policies automatically

 

Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality.  Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.

 

Photo credit by: Purple Slog

Still Not Encrypting Your Data?

Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.

Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”

Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.

Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”

 

Photo credit by: jfcherry

Categories
Book a meeting