I read almost daily in the news about cyber attacks on U.S. banks, infrastructure, government agencies, and businesses. In fact, government agencies saw a more than 650% increase in cyber security incidents from 2006 to 2010, according to the Government Accountability Office (GAO). The GAO reports that a main reason for the increase is the failure of agencies to fully implement their IT security programs.
To me, this means that many of the incidents could be preventable.
Although healthcare organizations are not often a primary target of hackers, electronic data in the healthcare sector is among the most vulnerable according to multiple reports, including a year-long investigation by The Washington Post. In fact, of all data breaches in the United States, healthcare entities accounted for the highest percentage of incidents, more than one-third of all data breaches in the country. One study reports that an astounding 94% of healthcare entities have experienced security or privacy breaches with their data.
And we’re not even talking about sophisticated cyber attacks over the Internet, but compromised data due to human error. A majority of healthcare security breaches have resulted from stolen and lost devices, such as laptops, desktops and smartphones — which often are not encrypted or even password-protected.
Despite frequent warnings from the Department of Health and Human Services and the U.S. Department of Homeland Security, the healthcare industry lags behind other sectors in implementing some of the basic security precautions when it comes to protecting patient data.
Of healthcare organizations surveyed in a 2012 study on cyber crime, fewer than half performed an annual security risk assessment — the most effective way to detect a security breach. In fact, 52% of the organizations that conduct one of these audits discover a security breach as a result.
The high costs of security breaches
Who in the industry is most vulnerable to security breaches? According to a 2012 HITRUST analysis: everyone. Even larger hospitals that have security measures in place may be exposed by trends such as shared electronic health records or community health records. Some eye-opening statistics:
- Hospitals and physician practices were responsible for 32% and 28% of the total breaches in healthcare, respectively.
- Government institutions (including VA hospitals) have experienced the greatest loss of records (40%).
- Since July 2011, physician practices have become the most breached organization type, surpassing hospitals/health systems.
- Insiders were responsible for 23% of breaches, accounting for 13% of records breached.
In addition to causing potential harm to patients such as financial identity theft and medical identity theft, security breaches incur huge financial expenses. The average economic impact of data breaches over a two-year period was $2.4 million, a 15% increase compared to 2010.
Call in the data security experts
The problem is that many healthcare organizations, especially smaller physician practices, don’t have access to sufficient resources dedicated to data security. Even at larger healthcare organizations, it’s difficult to expect staff IT professionals to manage all the necessary security projects — threat management, mobile security, storage, and data recovery — to help keep the organization safe from breaches.
To make any significant headway and close the gaps in healthcare data security, I believe it is critical for healthcare organizations to partner with established, proven technology providers to find practical and affordable solutions to help keep our data secure. We can’t afford not to. Once again, it’s a case for working with a trusted technology partner, so healthcare organizations can focus primarily on providing care to patients, while your technology partner does what they do best: help protect your information.