What role does technology play in healthcare data breaches?

It can be said that healthcare data breaches are a symptom of a greater problem related to an extremely predatory environment whereby hackers or other ill-intending parties raid secure data sources like pirates of the high seas, taking information and exploiting it for their use or selling it on to other parties. With healthcare data at a premium price on the black market, in which buyers will pay $10 per record (nearly 10 times the price of hacked credit card information), the last few years have witnessed several high profile healthcare data breaches affecting millions of patients. However, these high-profile cases belie the fact that healthcare data breaches occur more frequently on a smaller scale.

The figures

The Office for Civil Rights (OCR), tracks healthcare data breaches greater than or equal to 500 patient records. According to OCR, there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records.

According to an analysis of OCR data conducted by Forbes magazine, the top 10 data breaches affected over 111 million records. The bulk of the breaches (38%) were reported as “Unauthorized Access/Disclosure,” while 90% of the top ten breaches were reported as a “Hacking/IT Incident”, representing 21% of all breaches. The other top category was “Theft” at 29% of all breaches.

The economic burden

The overall cost of healthcare data breaches is staggering with studies indicating that the economic burden of healthcare data breaches approaches about $5.6 billion annually. Ponemon Research estimates the direct economic costs of a data breach to be roughly $200 per record. This figure does not include indirect costs such as reputational damage and lost productivity.

the economic burden of healthcare data breaches approaches about $5.6 billion annually

Further an organization may be subject to regulatory fines that can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal penalties.

The healthcare technology

The flow of data between organizations and EHR systems will only increase in the future, as such, the risk of healthcare data breaches will increase. Of course, legal standards contained in HIPAA and HITECH offer the minimum threshold at which an organization should handle and secure its healthcare data. Given the security threats that face practices and their EHR systems and the growing ability to breach even those organizations who follow the law, extra security measures have become a necessity.

One source of guidance is found in the National Institute of Standards and Technology (NIST) Special Publications which sets computer security standards for the federal government and publishes reports on topics related to IT security.

Among all security measures to prevent a breach of healthcare data from an EHR, encryption technology is perhaps the most vital to limiting risk. Although encryption is not a requirement under HIPAA or HITECH these laws do not consider loss of encrypted data a punishable breach. As a risk mitigation and data protection measure, encryption is the most obvious strategy. In addition, encryption, staff training, and clear data security protocols can provide a strong foundation for data protection.

In effect, clear data privacy protocols and thorough training in data handling and collection measures can foster an organizational culture that makes data security a value just as vital as service delivery. From a data risk standpoint, ground up measures such as this can further bolster technology based security.