During the past decade, the health care industry has adopted new practices and technology to protect against patient data breaches. But as protection of data becomes more sophisticated, so have the ways in which the data are exposed.
Data security firm ID Experts examined some of the biggest breach cases from the past decade and talked with data security experts to understand how the trends have changed during the past 10 years. The report identifies future threats to data security and gives advice on how organizations can respond to those threats.
One of the biggest changes during the past decade is the data being targeted. Ten years ago, it was personal identifiable information. Now, said Rick Kam, president and co-founder of ID Experts in Portland, Ore., personal health information is being targeted, mainly because of the value it holds and the relative ease thieves have getting their hands on it.
In 2003, 5 million people were victims of identity theft. In 2012, that number jumped to 12.5 million. This is due, in part, to the fact that a decade ago, most breaches were caused by human error (lost devices, records being exposed in insecure ways).
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
Now breaches have become more targeted and sophisticated with a large and growing number of breaches being caused by hacking and cyber criminals. “These criminals essentially are finding ways into those systems to go after very specific pieces of data, and using that data to create bigger frauds,” Kam said.
Vulnerability of medical records
Kam said every study he has seen indicates that medical records hold an average black market value of $50 per record. He also cited other surveys that said 94% of health care organizations have had at least one breach in the previous two years. Because data can now reside in multiple locations, including unsecured smartphones, laptops and tablets, and can be transported to an infinite number of locations, thieves, whether they be outside hackers, device stealers or people who try to use staff to share sensitive information, have more areas to target.
“The proliferation of mobile devices presents a whole new threat,” said James Christiansen, chief information risk officer of the risk management firm RiskyData of Orange County, Calif., in the ID Experts report. “They are woven into the fabric of the enterprise computing environment, but we don’t have the needed controls at the enterprise level yet.”
The ID Experts report was released around the same time as publication of a breach report by California Attorney General Kamala Harris. That report found that of the 131 data breaches reported to her office in 2012, 55% were intentional intrusions by outsiders or by unauthorized insiders. The other 45% were mostly the result of failures to adopt or carry out appropriate security measures. The retail industry reported the most breaches at 26%, followed by financial and insurance at 23%. The health care industry had the third most-reported incidents at 15%.
Most of the experts who participated in the ID Expert report agreed that the problem of data breaches will get worse before it gets better. Not only will the breaches be more frequent but also more severe, they said. Kam said another new potential source of breaches are the statewide health information exchanges that were funded under the Health Information Technology for Economic and Clinical Health Act, because many are short on cash and might not have the means to protect their data from all targets.
What organizations can do
There’s more awareness of data risk than there was a decade ago thanks to the Health Insurance Portability and Accountability Act, the HITECH Act, the Red Flags Rule and state data breach notification laws that require disclosure and corrective action by health care organizations. But many organizations are relying too much on technology to protect their data rather than focusing on how they can use the technology correctly and training employees to be better stewards of the data, said John Sileo, CEO of the Sileo Group, a data security consulting firm in Denver.
Kam said an area that needs more attention is training business associates, who will, starting in September, be subject to the same Office for Civil Rights enforcement penalties that HIPAA-covered entities have been subject to. He said there are about 500,000 covered entities and 3 million business associates. A business associate is any outside group, such as an insurer or vendor, that has a relationship with a physician practice or other health organization.
Date: July 29, 2013