Well More than One Health Data Breach per Day
Why does the theft of health data continue to increase, even though the industry knows about the problem and so many have been hit? Last year saw a record number of healthcare data breaches, but 2017 is on track to be worse, according to recent reports released by Protenus, Inc., in collaboration with DataBreaches.net (pdf here) and by the Identity Threat Resource Center (ITRC) (here). One answer is the value of healthcare data, estimated to be 50x more valuable than a social security number or credit card, providing a motivation for hackers. Another reason is the alarming rise of insider wrongdoing. Those with the easiest access to data are stealing it. Finally, too many covered entities and business associates remain complacent about HIPAA law and have not taken steps to protect patient privacy with a complete HIPAA compliance plan and workforce training.
In the first six months of 2017, according to Protenus, 233 breach incidents were reported to the Department of Health and Human Services, on pace to exceed last year’s total of 450. The number of patient records affected in the same time frame surpassed 3.1 million. These data do not include the breaches that are under-reported or go unreported, which means the totals are likely far greater.
An astounding 41% of health care data breaches this year was the result of insiders. The studies distinguish between insider-error and insider-wrongdoing; the former includes mistakes and human error, without malicious intent, and insider-wrongdoing includes theft, snooping, and other cases where employees knowingly violated the law or patient privacy. And while error accounted for more of the incidents, the insider-wrongdoing affected almost twice as many patient records.
Hacking, including ransomware, continues to be a major threat and is reported to be responsible for 53% of breached patient records in 2017 through June. Hackers are becoming more sophisticated and some believe the next attack will be more devastating than WannaCry, Hidden Cobra, Petya or NotPetya.
The Human Impact – Nightmare Disclosures
In 2016 a New York dentistry practice was hacked by a criminal collective that calls itself TheDarkOverlord and the practice refused to pay a ransom. Frustrated by the dentist’s refusal to cooperate, the hackers published the database which contained patients’ HIV status, medications, and other sensitive health conditions. One of the worst hacking incidents in 2017 affected an outpatient private practice mental health center in Maine whose patient records were stolen and put up for sale. Extremely sensitive information about therapy, including private conversations about other people in their lives was made public. This is damage that cannot be undone.
A complete HIPAA compliance program starts at the top, with a culture of compliance and responsibility for knowing and enforcing HIPAA rules to protect patient privacy. It is not one person’s job from the Compliance or IT department, but starts with Board Members, CEOs and executive management. It includes doctors, dentists, physical therapists, chiropractors, optometrists, and their schedulers and receptionists. It includes EMS professionals, social workers, counselors, pharmacists, nurses, home health care providers and long term care facilities. All of the covered entities have business associates who support them, who “create, receive, maintain or transmit” protected health information. These business associates are independently liable for HIPAA compliance. What to do?
HIPAA Rules provide a blueprint for combating data breaches, whether caused by theft, mistake, or by inside- or external-wrongdoers. A full program includes, at least, the following:
An annual Risk Analysis and an ongoing Risk Management Plan;
- A Security Rule Contingency Plan which requires data backup, disaster recovery and emergency mode operation plans;
Workforce Training to build a culture of compliance and insider awareness;
Adherence to the Breach Notification Rule.
The HIPAA E-Tool® is an easy to use, scalable solution with everything needed for a complete HIPAA compliance program. From an interactive risk analysis which creates a risk management plan, lesson plans on avoiding ransomware, guidance to analyze and manage potential breaches, and strong customer support. Written by a lawyer, in plain language, and constantly updated by a legal team, this software as a service is beautifully designed for practical use.