According to the Office of Civil Rights (OCR), over 322 healthcare data breach cases were reported in 2016. These are only the cases that involved more than 500 records each. The year closed with more than 16 million records exposed, primarily from healthcare providers. In fact, the healthcare industry is the most vulnerable industry to privacy breaches.
Figure 1. Healthcare providers experienced the most data breaches in 2016
Cybercriminals find healthcare data valuable because it contains information that is rich enough for identity theft and it lasts a lifetime. Unlike financial data that becomes worthless when changed or replaced, healthcare data is permanent, and cybercriminals can reuse it many times for different criminal activities, such as health insurance fraud and abuse. For cybercriminals, this is more lucrative than simply selling stolen data in the underground market. Overall, hacking remains the top cause of healthcare data breaches, followed by unauthorized access.
Figure 2. Causes of healthcare data breaches in 2016
Cybercriminals also find healthcare organizations easy to attack because many of them have inadequate security measures and practices in place. According to a survey, the health sector has the lowest rates of data encryption, with only 31% of institutions reporting extensive use of encryption. OCR states that majority of healthcare data breaches occur on hacked network servers:
Figure 3. Most healthcare data breaches in 2016 occurred on network servers
While healthcare organizations are aware of the financial consequences of HIPAA violations due to data breaches, many entities still struggle to manage data privacy. In July 2016, a public university in Oregon agreed to settle potential violations amounting to $2.7 million for multiple breaches, with two reports involving unencrypted laptops and another involving a stolen unencrypted thumb drive.
Data breaches against healthcare are not going away anytime soon, as experts predict that healthcare organizations will be targeted the most this 2017. How can healthcare organizations prevent data breaches? Let us look into these five strategies:
- Encrypt your data or better yet, ban unencrypted devices. It is important to encrypt your files so that if a security breach occurs, the contents of your files are not exposed. Also, the absence of encryption can be a factor for noncompliance. Ponemon Institute’s findings reveal that extensive use of encryption decreases the cost of a data breach by 10 percent.
- Conduct regular employee security training. 62 percent of employees lack data security training, according to Ponemon Institute. The study reveals that theft is preventable through employee training.
- Periodically assess your IT security policy. Be sure to align your IT security policy with HIPAA. One of the many security inclusions is to enforce password strength requirements with a scheduled password expiration.
- Screen your business associates (BAA) carefully. If your business associates or any third-party services have access to PHI, research their policies carefully to make sure that they comply with HIPAA. Even if a BAA causes the breach, your healthcare organization is still likely the one to receive the negative publicity and market reaction.
- Choose a trusted technology partner. The risk of exposing ePHI is growing. Today, most healthcare organizations store healthcare data on-site. However, the use of cloud services is on the rise with a projected growth of $9.5 billion by 2020. If you need third-party providers to manage your data, choosing the right cloud technology partner is a vital strategy to reduce risk.
Caspio’s HIPAA-Compliant Edition provides all the required HIPAA safeguards to help you build healthcare cloud applications while protecting the confidentiality, integrity, and privacy of PHI.
To know more about choosing a trusted cloud technology partner, read our blog on How to Choose HIPAA-Compliant Cloud Services for Healthcare.