According to a new analysis of health care related data breaches, small medical and physician offices claim the infamous crown of "worst offender." For this specific analysis, conducted by the Health Information Trust Alliance (HITRUST), 495 breaches were evaluated. Overall, these incidents involved 21 million patient records and cost in the neighborhood of $4 billion. Why are these offices targeted, and what can be done to improve the situation?
PHI contains a wealth of sensitive information that can used for identity theft purposes, and is actually valued more on the black market than credit card numbers. A medical firm with fewer than 100 employees (considered 'small' in this analysis), may not have the resources to conduct a proper HIPAA Security and Privacy assessment or implement the various controls and policies required to keep data safe these days.
Another reason for the increased focus on smaller practices has to do with the fact that larger companies are experiencing a dramatic decline in PHI disclosures. Big hospitals and major health care plans enjoyed a 46% decline in data breaches in 2010-2011, and HITRUST estimates that there will be an additional 36% decline for 2012.
While "hackers" or other external agents will continue to be a thorn in the side of medical practitioners, the biggest source of PHI disclosures came from stolen laptops. However, incidents of unauthorized access to health care servers, phishing schemes and corporate espionage are expected to increase by 50% next year. Basic security awareness training around the proper handling, storage and processing of PHI is something that even the smallest firm should be addressing to reduce these statistics and protect patients.
With that said, what of the emergence of electronic health records and cloud storage? According to the report, this could lead to even more data breaches.
"The adoption of electronic health records technology among hospitals has led to ‘community health records’ where physicians utilize a local hospital’s EHR system instead of purchasing their own. This now exposes the hospital to the same risks as the connecting practices, which often lack antimalware, have insecure or no firewalls, and share passwords. These issues in turn may lead to more breaches implicating both parties in the future.”
Third party vendors and health care providers alike are increasingly required to comply with HIPAA standards or face stiff penalties and fines. Last year, several large health care organizations were hit with penalties ranging from $1 million to over $4 million for failing to protect their records. This should encourage management to invest the time and money required to properly secure their entire network environment, provide security awareness training to staff, and put policies in place that address this very real threat.
If you own or manage a small medical practice or health care company, we would love to hear your opinion on these matters. What challenges do you currently face and how do you propose to solve them? Sound off in the comment section below.