PORTLAND, OR – Data breaches have become the new healthcare "epidemic," says one expert.

Mahmood Sher-Jan, senior director of product management at ID Experts, an Oregon firm specializing in breach prevention, said he'd recently read that breaches of healthcare data have surpassed the 10 million records threshold. 

"The word epidemic immediately hit me," said Sher-Jan. "Hidden in the daily barrage of reported data breaches is the risk that consumers will become fatigued and desensitized to the issue. When faced with such information and sensory overload, it is useful to use known analogies or references to help us quickly process the information to gain a better understanding of its merits."

Sher-Jan believes that "similarities with medical epidemics offer a useful reference point that can help us better relate to the growing issue of data breach and its implications."

He shared with Healthcare IT News five reasons that breaches of protected healthcare information (PHI) have become an epidemic:

1. Both attack innocent and unsuspecting people and deplete the resources of the healthcare industry and governmental agencies.
By definition, an epidemic may start small but ultimately impact a large number of people across geographic and economic boundaries with long-term ramifications. The same can be said about data breaches since the real impact, or harm, to the patients may not be known for quite some time. When PHI is breached, there are added risks beyond financial considerations – including risks of medical records being polluted, leading to physical harm to the victims, much like healthcare epidemics.

2. Both need thoughtful and prompt crisis management.                                 
In an epidemic, it is essential to have a practical and systematic response plan and to communicate to patients who at risk how to protect themselves and make available the necessary services, remedies and vaccinations in a timely fashion. The same is true about following best practices when responding to a data breach and following statutory notification guidelines and offering help to the affected patients.

3. Both need root cause analysis, quick and competent containment.
Experts must be quickly assembled and the infected patients must be quarantined. This is similar to a security breach whereby the breached system(s) must be isolated from the network for forensics analysis.  Use of antibiotics and vaccinations are analogous to applying software patches and updates of antivirus signatures.

4. Both cause economic and emotional damage, coupled with the risk of a PR nightmare.
People avoid visiting places suffering from epidemics, while patients avoid providers that can't keep their information private. This breach of confidence and trust is common to both epidemics and data breach events. Both can quickly spiral out of control and create a PR nightmare, drawing more attention and scrutiny if not handled properly.
 
5. Eradication is often unfeasible or costly.
Epidemics can have very long lifecycles. Often, not everyone at risk can be made aware or convinced of the risks and the costs. The same can be said about data breaches where human behavior and technology are contributing factors. The similarity between epidemics and data breaches is striking when you consider that neither is completely preventable, so it is best to be prepared to contain the risks through appropriate level of diligence and persistence.

"Like an epidemic, the threat and impact of a data breach can be reduced, but only through proper planning and immediate and appropriate response," said Sher-Jan. "Understanding risk factors combined with taking action to reduce risk is how healthcare organizations will overcome this epidemic."