Data Breaches in the Healthcare IndustryJun 04, 2020 | Jonathan Maisel
In recent years, a continuous series of cybersecurity attacks have plagued the healthcare industry, and many of these have been successful in stealing private health data. Four out of five breaches targeted providers in the healthcare industry in 2019. Here’s what you need to know about the significance of data breaches in healthcare, and what you can do to protect your practice from accidental and intentional breaches.
What Is a Healthcare Data Breach?
A health data security breach is any unauthorized leak or theft of private health information. It may include the whole of one or more people’s medical records, or may only include snippets of information on patients. Organizations of any size may experience a data breach. In 2019, a group called Black Book Market Research found that 93% of all healthcare organizations experienced a data breach within the previous three years, demonstrating why cybersecurity is an essential consideration for all providers.
The most significant law guiding treatment of protected health information is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It has two main components.
The HIPAA Security Rule
The Security Rule covers the production, use, transmission and maintenance of personal health information. It sets forth standards on how to handle patients’ personal health data.
The HIPAA Privacy Rule
The Privacy Rule requires covered entities to put safeguards in place to defend the privacy of health data. It puts limits on what data health providers can disclose to third parties and use without the prior consent of the patient.
The Privacy Rule focuses on how providers and business associates can intentionally use a patient’s information, while the Security Rule governs the technical elements of preventing that information from getting leaked or stolen. Violating HIPAA results in civil fines of a minimum of $117 per record, which can quickly sink smaller organizations that suffer large-scale attacks.
The Impact of Healthcare Data Security Breaches
There’s no question that a data breach can have a profound impact on an organization of any size. The financial fallout from suffering a data breach is immense, with breaches in 2019 averaging a cost of $429 per patient affected. That’s up from an average of $408 per patient in 2018. The healthcare sector also experiences more expensive attacks than any other industry, spending an average of $6.5 million per breach event, compared to the $3.9 million average spent by other sectors.
One of the most concerning factors is that 51% of breaches happen when malicious actors attack healthcare organizations deliberately. These attacks cost 25% more to respond to, and their frequency increased by 21% from 2015 to 2019.
Unfortunately, a shocking percentage of healthcare enterprises are not responding to this news of escalating health data security breach occurrences. According to recent data from Black Book Market Research, a full 87% of healthcare organizations have neglected to conduct any type of cybersecurity drill to test incident response protocols. Indeed, 84% of hospitals and 65% of payer organizations don’t even have full-time cybersecurity employees on staff.
One notable distinction is that hospitals are better able to deal with breaches than physician practices. More than a quarter of hospital respondents report that their organization does not have a solution that will detect and respond to a cyberattack. This number may seem high, but a surprising 93% of physician organizations admit the same.
5 Ways to Keep Healthcare Data Secure
With increasing adoption and more widespread use of patient data under programs like the Medicare Access and CHIP Reauthorization Act, it is only going to become more challenging for healthcare providers to keep patient data secure. Providers must fortify data security practices now, so here are five steps your organization can take immediately.
1. Control Data Access
Although 51% of breaches are the result of an attack, the remaining percentage occur due to internal actors. Whether intentional or not, insider breaches have the same fallout as external attacks, so it’s critical to ensure there are as many access protections on patient information as possible.
Data should only be accessible to the providers who need to use it to treat a patient or facilitate treatment by another provider.
2. Train Employees to Recognize and Report
Even if you have a crack team of cybersecurity experts, there may be events or vulnerabilities they miss. That’s why it’s vital to ensure all employees receive some form of cybersecurity training and have a clear protocol to follow for reporting when they detect or suspect a breach.
3. Update All Applications
The healthcare industry is notorious for operating on outdated software, and it creates immense vulnerabilities when it comes to data breaches. The timely application of software patches could have helped avert many of the most significant breaches in history, including the disastrous Equifax attack of 2017.
4. Secure Networks and Messaging
Inadequate protections on wireless networks and messaging systems create a massive vulnerability for attackers to exploit. Steps like periodically changing the free Wi-Fi password and regularly auditing users of a messaging system to ensure former employees no longer have access are musts.
5. Give Security Framework a Health Check
It may be wise to consult a third party for help in testing your current security framework. A trustworthy company will alert you to vulnerabilities, provide solutions and confirm HIPAA compliance within your organization.
Reduce Healthcare Data Breaches With Medical Transcription
One of the vulnerabilities inherent in the adoption of electronic health records is that doctors must provide increasingly detailed documentation. This circumstance often results in attempts to streamline the process with technology like speech recognition software. However, a human transcriptionist must check speech recognition documentation to ensure accuracy, and few organizations have the means to make in-house transcription a viable option. Additionally, making sure an in-house transcriptionist is remaining HIPAA-compliant can be a headache.
Fortunately, medical transcription services like those provided by ZyDoc fill the gap with transcriptionists who have received rigorous HIPAA compliance training and work on a secure platform that restricts access to those who need it. The ZyDoc TrackDoc™ platform prevents transcriptionists from downloading data to personal devices, ensuring your patients’ information stays secure during transcription.
Trust ZyDoc for Documentation Compliance and Safety
ZyDoc understands the need for compliance and security during the documentation process, and we have built our medical transcription services around this need. Along with accuracy, speedy turnarounds and exceptional service, we provide healthcare organizations with peace of mind in terms of compliance. Sign up for a free trial of ZyDoc today, and find out how we are combating data breaches in healthcare industry organizations.