Attention to how medical information is treated by Covered Entities and Business Associates has been heightened in the information security field over the last couple of years. With 2014 dubbed the “Year of the Mega Breach”, much of the concentration of information security, or lack thereof, has revolved around companies like Target and Home Depot.
With so much attention paid to these types of organizations, their security framework and how card holder data is protected, it was an unexpected surprise for all in the medical field when healthcare data breaches started occurring at the same rate the following year.
Ultimately, 2015 will be known as the “Year of the Healthcare Security Breach”, focusing both on Covered Entities and Business Associates.
Before the first half of 2015 was over, five of the eight largest ever security breaches in the medical sector had occurred. An astonishing 34% of compromised records, compared to 0.63% between 2011 and 2014, has led to a state of panic between both Covered Entities and Business Associates.
More and more Americans are becoming victims of healthcare data breaches. Some breaches are small in scale while others affect millions of individuals in a single incident. These large scale incidents show a growing trend of cyber attackers targeting PHI.
Here are interesting facts about PHI related data breaches:
- PHI can include sensitive information (Social Security Number, medical record data, dates of birth, etc.…)
- Unlike with credit card breaches, where there are laws that safeguard the individual and the breach can be discovered in real-time, PHI breaches can take significantly longer to identify
- Large volumes of records can be accessed in a single breach attempt
- According to the 2016 Bitglass Healthcare Breach Report:
- In 2015, more than 111 million individual’s data was lost due to hacking or IT incidents in the U.S.
- Only 97 breaches were identified as resulting from loss or theft last year (there seems to be trend of better internal controls around how media is safeguarded)
- The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans
Interestingly, many of these breaches happen in-house. A disgruntled employee or an employee with preconceived plans can be the worst nightmare for a Covered Entity or Business Associate. It is vital that Covered Entities and Business Associates implement controls that can help with these types of incidents. Many times, organizations are focused on protecting themselves from outsiders when the danger is actually a workforce member.
Whereas in the recent past the onus fell on Covered Entities, Business Associates are increasingly finding that their access to PHI has turned the attention to them. Pointing fingers is no longer a viable defense. They must also set up controls that help in protecting this PHI and, just like Covered Entities, must also safeguard the PHI they work with.
As we make our way through this year, it will be interesting to see what trends continue or evolve. What “Year of” title do you think will be bestowed upon 2016?
Whether you’re new to the blog or have been keeping up with this blog series from the beginning, I hope you found this information valuable. As a reminder, I will continue to post regularly until February 29th, the start of HIMSS16 convention in Las Vegas. Let us know if you plan to be there too as we’d love to connect with you at the event!
Please feel free to leave any comments or questions below! If you would like a security risk or HIPAA/ HITECH compliance audit quote, please contact us at firstname.lastname@example.org.
Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.