The Heavy Toll of Poor Data Security in Healthcare

August 25, 2014  by David Bailey

In what has become a farce of sorts, health care providers appear to remain far behind the learning curve when it comes to data, network and email security, as breaches have been on a torridly rising path in the past few months. Although retailers certainly took up many of the headlines since the last holiday season, medical organizations have quietly racked up some of the most devastating failures in data security ever seen.

The situation has become a farce in the sense that the causes of these breaches, at least for the most part, were entirely avoidable and prove little more than the fact that negligence is running rampant. From communications sent errantly without email encryption solutions in place to misplacing devices that are not protected, the common causes of information loss and exposure in health care – as well as virtually every industry – remain as errors.

There is nothing funny about this particular farce, as tens of millions of individuals have been impacted negatively from these breaches, and patient information is among the most sensitive types of data around. Health care providers must become more proactive, comprehensive and intelligent in their security planning to turn matters around in a more favorable, protected direction.

Raising alarms
The Washington Post recently reported that roughly 30 million patients in the United States have been impacted by a data breach in the past five years since notification standards were first created, citing the findings of analysis it conducted using information from the U.S. Department of Health and Human Services. According to the news provider, a study from the Identity Theft Resource Center found that medical organizations accounted for 43 percent of all breaches last year, and that the frequency of targeting is only going up.

“It is more difficult, perhaps, for that industry to brush something under the rug and want to chance not disclosing it because the ramifications for being found out are pretty significant,” ITRC Chief Executive Officer Eva Velasquez told the source. “There’s just a lot of regulation in place there.”

It is beginning to make sense that one expert several months ago referred to health care as being the “Wild West” when it comes to information governance and general IT security. After all, despite the fact that patient data is so sensitive and can be used by hackers for myriad types of dangerous crimes, chief among them medical identity theft, health care providers continue to be slow to the punch with security provisions and strategies.

Using HHS data, The Washington Post pointed out that records of roughly 17.4 million individuals were stolen, 7.2 million were lost outright and a combined 5.5 million were impacted by illegal access and hacking. The source also explained that the rate of IT professionals in the health care sector to affirm their companies had plans in place increased from 62 percent to 69 percent from 2012 to 2013.

This is still lackluster, as a full 100 percent of organizations that handle patient data must have a formal policy and set of solutions in place to protect information from internal and external threats.

Nonstop frequency
Forbes, in its weekly data breach bulletin, recently highlighted some of the latest events to take place, and most of them were tied back to the medical sector. The source cited a breach that took place at Onsite Health Diagnostics, which accidentally lost 60,000 employee evaluations to hackers, as well as an incident at Rady Children’s Hospital in San Diego, which exposed 20,000 patients’ records in one fell swoop.

Want to take a guess what issue caused the latter incident? According to the news provider, officials believe that an employee sent an email containing the information of these 20,000 patients errantly, and it was not encrypted. This further raises the tally of breach events that took place simply because the company had not instituted an email encryption or general security strategy.

It is time to get smart with data and communications security in health care, and here are a few ways in which decision-makers can get the job done:

Training: This might be the single most important – and most overlooked – aspect of modern data security and information governance. Health care providers that do not have robust training programs in place for their employees will be far more likely to fall victim to a substantial breach.
Email security: Because physicians and other employees in this industry commonly use email to exchange patient information, it is time to leverage encryption and other security services to protect this data.
Data center services: When in doubt, leverage secure data center services from a trusted provider, as this can mitigate many breach and compliance threats.

Above all else, be more proactive and recognize the threats that the sector currently faces.

Posted in NEWS