Healthcare records in an electronic form are low hanging fruit for hackers. Protecting patients’ protected health information is important for all healthcare providers.
2. With millions of new patients entering the U.S. healthcare system under the
Affordable Care Act, the security of digital patient data has become a major concern.
The U.S. Department of Health and Human Services (HHS) has set the year 2015 as
deadline for healthcare facilities to start using electronic health records (EHRs),
thereby ushering in the digitalization of all patient information. However, as
confidential patient data is now available on health networks, they have become a
bigger target for those who want to steal this data and make illegal use of it.
Healthcare data breaches have doubled in the past few years and it continues. More
than 130 health data breaches have taken place in 2013 and affected more than 5.7
million individuals. Medical identity theft involves the theft of patient data that
includes health records, and information regarding insurance, blood type and
medications. In certain cases a medical file might also include personal financial
information if, for instance, the patient used his/her credit card to cover co-pay.
HIPAA Compliance in Third Party Organizations
Hospitals not only need to worry about securing data on their own servers, but also
securing data that belongs to them but is stored on the servers of a third party, such
as a medical transcription service organization. When entrusting confidential patient
data with medical transcription companies to get the records transcribed,
physicians should also make sure that the service provider is HIPAA compliant and
that the patient data will be safe with them.
Benchmark Study on Patient Privacy and Data Security
According to the fourth annual Benchmark Study on Patient Privacy and Data
Security by the Ponemon Institute, one of the key threats is the unproven security in
the health insurance marketplaces, created as a result of the Affordable Care Act.
Other top threats include: criminal attacks, employee negligence, unsecured mobile
devices (smartphones, laptops, and tablets), and third parties—causing organizations
to scramble.
The survey found that the overall number of reported data breaches at healthcare
organizations declined slightly last year, but criminal attacks on healthcare providers
increased dramatically — up 100 percent since 2010.
Why Do Cyber Thieves Focus on Patient Records?
Patient records are exposed to both insider and outsider threats mainly because of
the value of the information to criminals. These records contain personally
identifiable information (PII) and protected health information (PHI). When
combined, this information represents highly sensitive “regulated data,” which is
tightly controlled by federal laws, including HIPAA and GLBA, as well as numerous
state breach notification laws.
3. Key findings of the research include:
Data breaches now cost healthcare organizations $5.6 billion annually, slightly
lower than the past years.
Nearly 70 percent of respondents believe the Affordable Care Act has
increased or significantly increased the risk to millions of patients, because of
inadequate security.
Seventy-five percent of organizations cite employee negligence as their
biggest security worry, as they increase exposure to sensitive data by the
growing use of their personal unsecured devices (smartphones, laptops and
tablets).
Seventy-three percent of organizations are not confident or only slightly
confident that their third parties are able to detect a security incident,
perform an incident risk assessment and notify them in the event of a data
breach.
What Can Be Done?
The most important thing patients can and should do is to check the Explanation of
Benefits (EOB) provided by doctors and other medical providers.
HITECH Act for Tighter Security in Digital Health
Records
The Health Information Technology for Economic and Clinical Health Act (HITECH
Act), enacted on February 17, 2009 focuses on ensuring privacy and security of
patient health information. This program provides incentive payments to eligible
hospitals and providers who make a Meaningful Use (MU) of certified EHRs by the
end of the year 2014. Eligible physicians can receive up to $44,000 over a 5-year
period from Medicare or, alternatively, $63,750 over a 6-year period from Medicaid,
while hospitals can receive a base annual amount of over $2 Million.
HHS Security Risk Assessment Tool
HHS has also released a new security risk assessment (SRA) tool to help providers
with HIPAA compliance. Conducting a security risk assessment is a key requirement
of the HIPAA Security Rule and a core requirement for providers seeking payment
through the Medicare and Medicaid EHR Incentive Program. The SRA tool is designed
to help practices conduct and document a risk assessment in a thorough, organized
fashion by allowing them to assess the information security risks in their
organizations under the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule. HIPAA requires organizations that handle protected health
information to regularly review the administrative, physical and technical safeguards
they have in place to protect the security of the information.