The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute had more surprises than Forrest Gump’s box of chocolates – surprises that were far from palatable. One key finding was that criminal attacks are up 125 percent and are now the leading cause of healthcare data breaches. Other results of the study were just as unsettling:
Surprise 1: Sixty-five percent of healthcare organizations do not offer any protection services for patients whose information has been lost or stolen. With cyber threats on healthcare data mounting, this is unacceptable. Ironically, the Ponemon study also found that 65 percent of healthcare organizations—the same percentage that don’t offer protection services—believe patients whose records have been lost or stolen are more likely to become victims of medical identity theft.
According to the Ponemon Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Healthcare organizations and business associates must make available medical identity monitoring and identity restoration services to patients whose healthcare records have been exposed.
On the other hand, the majority of people still don’t understand the serious risk of medical identity theft. They pay more attention to their credit score and financial information than they do their insurance EOBs or medical records. They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you, as ID Experts CEO Bob Gregg has said.
Surprise 2: The average cost of a healthcare data breach has stayed fairly consistent over the past five years – $2.1 million. This is in contrast to the average total cost of data breach in general, which has risen 23 percent over the past two years to $3.79 million, according to another recent Ponemon report, 2015 Cost of Data Breach Study: Global Analysis. Cyber liability insurance to cover notification costs, better options for identity monitoring, and more privacy attorneys offering help should reduce the cost of healthcare data breaches over time.
Healthcare organizations can take proactive steps to reduce the likelihood and impact of a data breach. This means addressing the tactical issues of protecting patient data. According to Dr. Larry Ponemon, founder and chairman of Ponemon Institute, healthcare organizations face “the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget.”
According to the Ponemon report, 96 percent of healthcare organizations had a security incident involving lost or stolen devices, and employee negligence is the greatest concern among these organizations. Dr. Ponemon says healthcare providers should create “a more aggressive training and education awareness program, as well as invest in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information.”
These training and awareness programs should center around protecting PHI, especially education on how to avoid phishing emails and what to do to ensure data is not disclosed. Healthcare organizations must also collaborate with their business associates to also ensure they have similar programs in place. Additionally, ten strategies from the PHI Protection Network to protect patient data can be found here.
For external risks such as the growing number of criminal attacks, Dr. Ponemon says that healthcare providers must “assess what sensitive data needs to be monitored and protected, and the location of this data.” I would add that board and executive management must recognize that professional hackers are targeting health data and records and, as mentioned earlier, that such attacks are now the leading cause of data breaches in healthcare. This awareness should spur enterprise-wide alignment in addressing cyber threats.
Surprise 3: Too many healthcare organizations take an ad-hoc approach to incident risk assessment. Only 50 percent of healthcare organizations in the study performed the four-factor risk assessment following each security incident, as required by the HIPAA Final Rule. Of that 50 percent, 34 percent used an ad hoc risk assessment process, and 27 percent used a manual process or tool that was developed internally.
This practice is not acceptable. Healthcare organizations now have software tools available to help automate and streamline processes such as risk assessment and data breach response. By supporting consistent and objective analysis of security incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free an organization’s privacy and security staff to spend more time on prevention.
So far, 2015 has been a bad year for protecting patients and their data. Increasing cyber attacks mean that even more patients and their data will be put in harm’s way. While nobody can escape the inevitable security incidents, it is my hope that we can all learn lessons from the Ponemon study and each other, and work more collectively so that next year will bring fewer unpleasant surprises and many more happy ones.