Healthcare Breaches and the HIPAA Risk Assessment

Healthcare attacks are on the rise, there is no doubt about that trend. In 2013 and 2014, credit card breaches are all everyone was talking about. While those still garner headlines today, healthcare breaches have taken over as the top news stories. In some of the largest breaches reported, 2015 has seen an incredible number of individuals affected. Some of these breaches include the Anthem breach which affected 80 million individuals, the Premera breach which affected 11 million people, the UCLA breach which affected 4.5 million individuals, and the Medical Informatics Engineering EHR breach, which affected 3.9 million individuals. All totaled, that is 99.4 million individuals that have been affected in some way by healthcare data breaches just this year alone! The questions now become why is this happening in healthcare and will this trend continue? Here are some reasons why this is occurring: 

• Highly Valuable Information: While there is no standard number, it is estimated that medical records are worth up to 10 times more than a stolen credit card number on the black market. While the average credit card number gets about $1, the average stolen health record gets around $10. Why? The information in a medical record, including names, birth dates, social security numbers, insurance policy information, etc. allows a person to create a fake identity. Secondly, it can take years for a person to realize that their information has been stolen as compared to a credit card which can only usually be used 1-2 times before the fraud is recognized.
• Low Hanging Fruit: Healthcare spending on Information Technology continues to lag almost all other industries. The reasons for this are unclear, especially with the shift to Electronic Health Records, but the fact remains that healthcare organizations continue to lag behind industries such as banking and retailers in terms of IT Spending.
• Checking the Box: When an organization implements their EHR system, in order to recoup some of the costs associated with this transition, they must perform an IT Risk Assessment that is documented. The problem is that most organizations view this exercise as a “check the box” exercise and not as a continuous initiative that needs to be revisited and re-evaluated on a consistent basis. IT Security has to be a culture shift within the organization through initiatives such as Security Awareness Training, not a point in time assessment.
• Criminal Enterprise: According to the Ponemon Institute, criminal attacks are the number one cause of healthcare data breaches and are up 125% over the past five years. Criminal organizations all across the world recognize the inherent value in the information contained in a medical record as well as the lack of resources that most healthcare organizations implemented to safeguard said information. This formula has proven to be very lucrative to criminal organizations as a way to make money faster than ever before.

Now that we have identified some of the reasons why the attacks on healthcare providers is increasing, what can we do to mitigate the risk of this happening to more organizations. The first thing that must be done is a thorough HIPAA Risk Assessment. This will give you a clear picture of where your organization stands compared to HIPAA regulations, what risk that presents to your organization, and what steps need to be taken to mitigate those risks. Second, organizations must create a culture of security and empower their employees to ask questions and raise red flags when something doesn’t seem quite right. This would include Security Awareness Training on at least an annual basis and testing employees through various email phishing campaigns. When employees are trained, empowered, and tested, they are more likely to report suspicious activity and ultimately prevent the loss or theft of data. Third, organizations must take a good look at their vendors and implement a vendor management program. This program would include conducting due diligence on your vendors, requesting copies of their IT Security policies and procedures, and conducting a thorough risk assessment to determine the risk they present to your organization should they be breached.

The steps listed above will give you the beginning of creating a culture of security in your organization and ultimately help you be better prepared for when an attack comes. Compass IT Compliance works with Healthcare organizations across the country on all of these services to ultimately mitigate their risk of an attack and information that could be lost if an attack occurs. For more information, download our HIPAA Risk Assessment brochure below or contact us for more information on our services and how we can help.