According to a Department of Health & Human Services tally of data breaches since 2009, about 260 incidents occurred that went on to affect more than 10 million patients. And, it gets worse -- the second largest breach occurred not because of a hacked password but when computer back-up tapes were stolen from the back of a truck.
Security within the industry is changing, and health data breaches are a significant issue. According to Rick Kam, president and co-founder of ID Experts, now is a critical time in determining the future of health security.
"We're at the convergence of technology becoming more pervasive in healthcare," he said. "Patients want to share information and have multiple providers. This includes more sophisticated criminals as well as healthcare reform. Coming on the horizon in the area of healthcare, you could say we're at the crux of a potential data breach disaster -- if not within the next few months, within the next year you’ll see a data breach oil spill, so to speak."
[See also: Data breaches top of mind for IT decision makers.]
"We operate with three core values," added Christine Arevalo, director of healthcare identity management at ID Experts. "One is the importance of taking preventative action. The second is doing the right thing for patients and the data you're entrusted with; the system as a whole is based on the trust patients have in physicians and safeguarding their sensitive information. And the third is being compliant -- it's a regulatory matter that can’t be ignored. We’re seeing a lot more of those rules being enforced, specifically data breach notifications. Companies can't hide from those issues anymore."
With that said, Kam and Arevalo gave us the six best ways to plan for, mitigate and protect against health data breaches.
1. Perform a risk assessment. According to Kam, the first step is to understand where the threats and vulnerabilities are in regard to the patient. He suggests performing a risk assessment. "We're seeing risk assessment and mitigation in general become a discussion that’s happening at the board level," he said. "It's a lot about risk transfer and mitigation, but also about how we accomplish that in the wake of new emerging threats." And how organizations mitigate threats is changing, said Kam. In the past, directions are often given to the IT department, and money is spent deploying the latest technology. Now, Kam claims that's not where a lot of vulnerabilities lie. "It's also a narrow view on the scope of the problem," he said.
2. Inventory your PHI. Understanding what information you have that's sensitive and where it exists within the organization is key. Considering business associates and sub contractors is also vital to taking inventory of your PHI. According to Kam, it's important to note anyone who may be getting authorized access to important information. "Bringing experts in from the outside is an emerging risk," added Arevalo. "For example, as the stimulus takes hold and organizations and providers can have potential revenue growth through rising Medicare and Medicaid rates, it puts pressure on them to move patients to places like clinics as well as home healthcare outside of the facility," she said. "It's utilizing global technology, and a lot of individuals who work outside the hospital may not have a secure environment. It increases risks, and you may not even be aware of what’s happening."
[See also: Security a matter of guns and butter.]
Continued on the next page.