Significance of Medical Data Breaches – Steps Healthcare Institutions Must Take
The Cost and Prevalence of Medical Data Breaches
Research based on data from 2009 until 2016 suggests that the cost of medical data breaches has reached $363 per record, according to the Brookings Institution, and by all indications, this figure can only increase in the coming years.
But it is not just the cost of medical data breaches that is on the rise, but the incidence as well. The same research suggested that more than 1,500 data infractions until 2016 in the healthcare field alone have caused more than 155 million Americans to have their medical data privacy compromised. And with the medical care industry being identified as the most vulnerable of all arenas, Accenture estimated that hospitals alone are set to incur losses worth $305 billion over the next few years.
The Healthcare Industry is Disproportionately Vulnerable
Why is the healthcare industry so vulnerable to data breaches? Part of the susceptibility of the healthcare industry to cybercrime is linked to government regulations. These laws require all medical institutions to maintain electronic health records (EHR) and other practices in compliance with the Patient Protection and Affordable Act (Obamacare). However, not all healthcare providers possess the necessary resources needed to uphold the security of the voluminous records they are required to maintain.
While determined hackers are using increasingly sophisticated techniques to compromise patient data, even more advanced methods are needed to secure the information. This factor becomes even more essential in the healthcare arena, as government regulations stipulate that hospitals and healthcare providers must store detailed patient data for such long periods.
Third-Party Agencies Increase the Risk for Healthcare Providers
Yet another factor that makes hospitals open to potential attacks is that hackers also target medical insurance companies and third-party vendors that provide peripheral services to the industry. As the Harvard Business Review noted, to provide efficient and low-cost services to their patients, medical institutions are increasingly relying on third party vendors, ultimately raising the risk of medical data breaches.
Why Hackers Want Medical Records
Healthcare providers store a smorgasbord of patient data that is of great interest to hackers, including:
- Social Security Numbers
- Previous health records
- Home address
- Email addresses
- NHS number
- Results of medical diagnostic tests
- Date of birth
- And other, generally detailed, confidential information.
The period for which the records are stored and the extensive information contained within directly affect healthcare providers’ vulnerability to data theft, and the possible severity of the ramifications should cyber criminals gain access.
The High Price of Medical Data
Medical data can reach surprisingly large sums through illegal portals. A report on Reuters revealed that medical information may sell for a value 10 times more than a credit card number.
Cyber thieves could also potentially also use patient data to extract a ransom from hospitals and other healthcare institutions.
Insurance Fraud and Access to Drugs
In addition to purely financial benefits, and by way of explanation for the high resale value of medical records on the black market, it should be remembered that wrongdoers can potentially purchase expensive drugs and equipment, or claim insurance benefits using fake IDs once they have access to detail patient medical information.
How Healthcare Institutions Can Prevent Patient Information Theft
Cybercrime experts reveal that hospitals can take several steps to protect the patient information they store.
When It Comes to Phishing, Education is Key
It is essential for both patients and hospital employees to be extensively educated about the dangers of phishing, and encouraged to be cautious when opening emails or clicking on links. Patients should carefully check all documents they receive, including medical care bills and any communication sent by insurance companies. Education must be on an ongoing basis.
Enforceable Protocols Regarding Equipment Management
Not all medical data breaches occur via a cyberattack, as electronic devices like laptops and electronic storage equipment like hard drives and flash drives can contain a wealth of valuable medical data.
As such, hospitals and other healthcare providers need to train employees and all personnel in their organization who may have access to the equipment that stores sensitive data. All employees should be aware of HIPAA regulations and mandatory patient privacy regulations.
Hospitals and other organizations must work with certified companies to dispose of all their electronic media responsibly in accordance with HIPAA laws and regulations. By working with expert medical equipment recycling companies, they can ensure that all hard drives and other storage media are properly shredded and dispatched to recycling plants to be melted down to their alloy state.
Such professionals also provide a detailed list of the serial numbers of the hard drives and solid state drives that they destroyed, along with the provision of a mandatory Certificate of Destruction, absolving the organization from any liability stemming from that piece of equipment.
Digital System Audits
Medical institutions must conduct detailed analyses and audits of their digital systems to evaluate possible data breach vulnerability. According to HIPAA regulations, this audit must be conducted at least every 12 months.
When the Worst Has Happened: Dealing with a Medical Data Breach
Regardless of a healthcare provider’s level of preparedness, not every data breach is preventable. As such, protecting the confidential data of your patients extends further than securing data against a breach, but also extends to an action plan for how to respond if one or more medical data breaches occur.
Healthcare providers should assume that an investigation will be undertaken into the medical data breach, so should document all steps taken in response to the breach.
Assemble a Team and Define the Priorities
An incident response team should be assembled immediately as a medical data breach has been identified, and one of the first tasks of the team should be to define the priorities of the team. Competing priorities immediately after a breach may include:
- Preventing loss of revenue
- Preventing harm to patients
- Communicating with those affected
- Protecting the organization’s reputation
- Avoiding fines.
Restore from Backups
All healthcare providers and third-party contractors should create offline backups of all sensitive files in an ongoing manner. In the event of a data breach, the information would be recoverable from the offline backup, going some way towards mitigating the loss to the provider and its patients.
Communicate Quickly, Openly, and Honestly
Quick and complete communication to patients, regulators, and other relevant parties is not only good business practice but is also required by law.
In addition, a call center should be established to field questions and queries, and to retain the trust of patients as much as possible.
To discuss how All Green Recycling can help you to conform to HIPAA regulations and reduce the risk of a medical data breach, contact us today.