Flood of health data breaches coming

Time is right to beef up security precautions, warns security expert
By Diana Manos
10:02 AM
Flood of health data breaches coming

Get ready, because data breaches are expected to rise in 2014, especially in the healthcare industry. New security threats and regulations that call for more transparency will be partly to blame.

A new report from Experian Data Breach Resolution says healthcare will face a "perfect storm” for breaches in 2014. The Affordable Care Act, with its increased activity, as well as more people signing up for health insurance will only make the target that much larger. Experian predicts the opening of a floodgate for healthcare breaches in 2014.

The time is right to beef up security precautions, warns Michael Bruemmer, vice president of Experian.

More and more organizations have learned how to identify and respond to security incidents, and this has lowered the cost per record of a data breach. This trend is expected to continue, and that’s good news, says Bruemmer. But it doesn’t mean you should let down your guard. If you’ve had one incident, don’t think you’re in the clear. Count on having another, Bruemmer says.

[See also: HIPAA security gaffe puts PHI on Google.]

The use of the cloud and big data means there will be more multi-country breach events. The biggest challenge here will be awareness of each country’s regulations and complying with all of them. Privacy attorneys who work in foreign jurisdictions are best suited to help organizations understand the global notification responsibilities after a breach, Bruemmer says. Some international breach notification laws can be quite onerous. In 2014, the European Union is expected to pass privacy legislation that would require notification of breaches within five days. If you store anything in the cloud or have any international networks, and fail to comply, this could add up to significant fines that can cut into your bottom line.

Cyber insurance will continue to sell like hotcakes in 2014, just like it did in 2013. Most organizations are looking for ways to reduce risk, and that’s one good way, Bruemmer says. Because of this boon, cybersecurity insurance companies are likely to expand their offerings to include insurance geared toward particular market segments, including small businesses. Buying cyber insurance is a good idea, Bruemmer says. It’s not a sign of throwing in the white towel; it’s just good business sense. Fight the battle on all fronts. A lot of companies and organizations are already coming to that conclusion. A survey conducted by Experian and the Ponemon Institute last March showed one third of organizations are already buying cyber insurance, and one third more are planning to do so in 2014.

[See also: Data security still a risky business.]

Breach fatigue is setting in and is expected to get worse next year. In 2012 alone, one quarter of the U.S. population received at least one letter notifying them they had been breached. As laws get more stringent and more awareness is raised, the notifications will increase. Breach fatigue is causing people to disregard these notices. The worst case scenario in the healthcare sector could find someone failing to take action when their healthcare identity has been stolen. Then, when they go in for a procedure or treatment, their medical records could contain incorrect information. All sorts of medical errors and complications could be the result.

In 2014, expect regulators to be more helpful. Regulators don’t want to be the bad guy, and Bruemmer says he’s seeing more of them reach out to organizations that have experienced a breach. Work with them, and they will work with you.

In the end, Bruemmer says, the best advice is to get a security plan in place and make sure you practice it.