Expertise Beyond the Numbers

Data Privacy and Security – A Major Risk within the Healthcare Industry

The security and safekeeping of protected health information (PHI), medical records, and personally identifiable information (PII) has been an important global topic in recent years, and the statistics regarding the frequency and impact of data breaches within the healthcare industry are increasingly alarming.

According to the Ponemon Institute, data breaches cost the U.S. healthcare industry an estimated $6.2 Billion per year[1]. While data breaches can be costly events for any business, they can be particularly sensitive for healthcare organizations due to the nature of data maintained and strict regulations imposed on the industry around data protection. For healthcare organizations, data security is not only a smart business practice, but a legal requirement due to the stringent guidelines regarding patient data privacy and security imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[2].  Non-compliance with these regulations can have significant consequences including penalties, fines, lawsuits, as well as any reputational costs.

Understanding common security threats and the proactive steps needed to prevent security incidents is essential to protecting patient health information (PHI), which includes PII such as, names, birthdates, social security numbers, addresses, insurance information, medical history, and sometimes even credit card information.

Data Breaches

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009[3], was created to impose tougher data security requirements for health care organizations, expand data breach notification requirements, as well as to improve the quality and efficiency of care by promoting the adoption and implementation of health information technology (particularly electronic health records). This act attempted to digitize and further secure health care data; however, the increased storage of electronic records also led to some unintended security risks.

Data Breaches within the healthcare industry may be caused by a variety of incidents, primarily including:

  • Hacking/Malware/Ransomware
  • Unintentional disclosure of patient data (human error)
  • Misuse of organizational resources
  • Lost or stolen devices

Hacking and Ransomware – A Growing Menace for Healthcare Organizations

In recent years, cyber criminals have begun to increasingly target the healthcare industry with ransomware, a form of malware where rogue software code effectively holds a user’s computer or entire network hostage until a “ransom” is paid. According to the latest Protenus Breach Barometer[4], hacking incidents were the root cause of 59% of reported incidents in 2019. Without adequate disaster recovery and data backup procedures, facilities affected by these attacks have limited options: either pay the ransom or refuse payment, risking the loss of all data. In the worst cases, refusing to pay the ransom has left organizations with no other options but to shut down and cease operations.

Indicators for health care organizations that may be at a higher risk facing a ransomware attack include the amount and type of data maintained, the use of unsupported operating systems, improper patch management procedures, and lack of encryption standards. Ransomware attacks can have severe impacts in the industry due to the dependency on having readily available electronic medical records and the networked medical devices needed to provide patient care.

Insider Threats in Healthcare

While the healthcare industry is a major target for external threats such as hackers, it’s the internal members of healthcare organizations who are surprisingly the most common ‘threat actors’. Healthcare employees are responsible for more incidents than hackers, ransomware attacks, and malware incidents combined.

Healthcare employees pose a real threat since the legitimate access they require to perform their duties often allows them to bypass many traditional network defenses, such as logical access safeguards and intrusion detection systems. Also, employees often have first-hand knowledge of system vulnerabilities and control weaknesses within the organization. These internal threats encompass a wide array of scenarios from an employee falling victim to a phishing scam, losing an unencrypted device containing PHI, to more malicious scenarios such as intentionally selling patient data for their own financial gain.

Many healthcare organizations have implemented bring your own device (BYOD) programs, allowing employees to utilize their own smartphones, tablets, and even laptops for work purposes. While allowing employees to use their own devices may result in cost savings for these organizations, it also poses potential increased privacy and security risks. With these initiatives, healthcare facilities lose some control over the data across their organization. Since employees often bring mobile devices with them everywhere they go, this increases the risk of these items being stolen or lost. Additionally, many people also share devices with family members and friends, which could also expose data to third parties.

There is no single solution to human error, as all humans occasionally make mistakes. This makes stronger monitoring and enforcement of procedures extremely vital to organizations. Education is also a vital layer of defense. Providing education emphasizing the importance of data security can reduce the likelihood of internal security incidents and can limit the potential impact should an incident occur.

Impact of Healthcare Data Breaches

Data security incidents have a direct effect on patient care and can pose significant risks to patient safety. With the vast increase of these incidents in recent years, it is critical that organizational leadership within the industry emphasize the importance of risk mitigation. Failure to address these issues could result in serious negative impact on an organization’s bottom line, reputation, credibility, and trust among its patients.

It is essential for organizations to perform periodic risk assessments to ensure effective internal controls and safeguards have been implemented and are working as intended. While the methods to be considered may differ depending on the size and nature of the organization, data security is something that must not be ignored and should be on management’s radar as the industry moves towards utilizing more information systems and Internet of Things (IoT) devices to provide more efficient and effective care for their patients.

If you would like to learn more about what your organization could be doing to better protect patient information, reach out to our team.

[1] Sixth Annual Benchmark Study on Privacy & Security in Healthcare Data, Ponemon Institute

[2] Health Insurance Portability and Accountability Act of 1996 (HIPAA)

[3] Health Information Technology for Economic and Clinical Health (HITECH) Act

[4] 2019 Protenus Mid-Year Breach Barometer Report