The How and Why of Healthcare Data Breaches

Cybersecurity is a very real concern for the modern American; 64% of this country’s citizens have personally experienced a major data breach, and because of this, faith in institutions to safeguard personal information is at an all-time low.[1] Having personal, sensitive information compromised is a nightmare for both the individuals affected and the business or institution who suffered the attack. While financial data was originally perceived to be the most likely target of cybercrime, it is now apparent that healthcare data breaches are becoming increasingly more common and serious; unlike a stolen credit card, you can’t simply cancel your healthcare information.[2] In order to better understand why this trend has increased, what’s at stake for hospitals suffering data breaches, and how this problem can be combated, here’s a condensed summary of the issue:

 

Why is healthcare targeted?

Once a hacker has procured Protected Health Information (PHI), there is little that can be reversed. Most medical files include patient names, dates of birth, social security numbers, health insurance information, driver’s licenses, billing information, and medical diagnostic information, all of which can be sold on the black market and used in a myriad of ways.[3] According to one study, a single health record can sell for $20 while a complete patient dossier can sell for up to $500.[4]

 

How does it happen?

Healthcare is a field where much of the workforce is mobile – about 33% of healthcare employees work outside of the office at least once a week, and may have patient information on personal computers and smartphones, increasing the changes for security breaches.[5] In a 2015 PHI report that reviewed more than 1,900 data security incidents, about 45% of health data breaches studied were caused by lost or stolen information from laptops, tablets, or flash drives that contained unencrypted data.[6] Beyond the repercussions of human error, hacks can also be the result of unauthorized access or improper disclosure.

 

What are the consequences for hospitals?

Beyond the harm that can come to patients whose files have been hacked, the damage faced by a medical organization after a breach can be a near death sentence. One Chicago-based medical management services company suffered a breach when an employee of the organization left an unencrypted laptop inside a rental car, which was subsequently stolen.[7] The PHI of 23,500 patients was hacked, sending the organization into turmoil with investigations, lawsuits, and settlements that resulted in direct costs in excess of $60 million.[8] It only takes the mistake of a single person to cause monumental monetary costs and serious ramifications for an organization’s image and reputation.

 

What steps should be taken?

In order to decrease the chances of medical data breaches, regular training for both clinicians and non-clinicians is critical. Since IBM’s Cyber Security Intelligence Index indicated that 95% of all security incidents involve human error, it’s essential to rigorously train employees in safe cyber practices, including mindful personal web browsing.[9] Additionally, all data needs to be encrypted internally, it should be assured that voicemail and text messaging are HIPPA compliant, caution should be exercised when attaching any internet connected device to the organization’s network, and vulnerability assessments and penetration testing should be conducted frequently.[10]

 

About 49% of Americans feel that their personal information is less secure than it was five years ago.[11] The only way to lower this figure is for health organizations to convince them that they are doing their very best to protect patients’ PHI, and in turn, outcomes for all will improve.

 

 

[1] Olmstead, Kenneth and Aaron Smith, “Americans and Cybersecurity,” Pew Research Center, Jan. 26, 2017,  http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/

[2] “The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices,” Absolute Software Company, 2015, https://www.absolute.com/en/resources/whitepapers/cost-of-a-healthcare-data-breach

[3] Ibid

[4] Ibid

[5] Ibid

[6] “Top 3 Causes of Health Data Breaches,” Calyptix Security, Dec. 22, 2015, https://www.calyptix.com/hipaa/top-3-causes-of-health-data-breaches/

[7] “The Cost of a Data Breach”

[8] Ibid

[9] Wright, Carl, “New Strategies for Preventing Healthcare Data Breaches,” Electronic Health Reporter, Feb. 10, 2016,  http://electronichealthreporter.com/10854-2/

[10] Ibid

[11] Olmstead and Smith, “Americans and Cybersecurity”