Why Healthcare Data Security is a Myth

Despite what you might have heard, data security in the healthcare field is no worse than any other industry — it just happens to be the most regulated and, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), must be reported.

A recent study — albeit one sponsored by a healthcare data security company — found it is not a question of if a provider will have a data breach, but when. “Third Annual Benchmark Study on Patient Privacy & Data Security,”
conducted by the Ponemon Institute for ID Experts, found that 94 percent of 80 healthcare organizations participating in the study reported that they have had at least one data breach in the past two years.

Based on the survey, providers should not focus solely on preventing data breaches, but on containing any damage when they do occur, especially when the cost of fines, remediation, and even lawsuits can run into the millions.

The survey found that the top three causes for a data breach are lost or stolen computing devices, employee mistakes and third-party snafus. However, those figures do not represent potential risk. Some risks of breaches are more challenging than others, and here’s why:

You can’t prevent data breaches by third parties because you can’t manage them. More than 40 percent of the data breaches reported by providers were from “third party snafus.” Despite the best security precautions, third parties are just as likely to have breaches.

A recent example was Alere Home Monitoring, which reported  that records of 116,000 patients were at risk because they had been on an employee’s laptop that was stolen. While the laptop was password protected, the records themselves were not encrypted.

You can’t even trust your own people. Some 14 percent of healthcare organizations participating in the survey reported that “malicious employees” were the source of data breaches. Despite all the data security policies, procedures, and tools a provider may have in place, the risk will always be there of an “inside job.”

As the Louisiana State University Health Care Services Division recently found out employees steal data because it is lucrative. A suspected identity theft ring, that included at least one employee, stole $25,000 from LSU hospital patients by harvesting their financial information from hospital records.

Even if most employees are honest, far too many are careless. Nearly half of all reported breaches were the result of employee negligence and/or a lot or stolen device. “Insider negligence continues to be at the root of the data breach,” the report concludes. As Hospice of North Idaho learned recently , when an employee had an unencrypted laptop stolen, it resulted in a $50,000 fine, even though it contained the data of fewer than five hundred patients. The U.S. Department of Health and Human Services Office for Civil Rights made special mention of the case, because it wanted to send a message to providers that no breach was too small to avoid paying penalties prescribed by HIPAA.

How can providers prevent employee negligence? According to the report, training apparently is not the answer. “Employee training is the most common activity but does not seem to be effective in reducing insider negligence,” the report concluded. In interests of disclosure, the report was sponsored by a company that performs security audits.

While data security measures are far from futile, they cannot guarantee a provider won’t have a data breach. What they can do is minimize the damage.