Healthcare-related data breaches just are showing no signs of slowing down. Just last week, the Stamford Podiatry Group was reported by the U.S. Department of Health and Human Services Office for Civil Rights to have suffered a hacking/IT incident that exposed the records of 40,491 people. Days later, the same office reported that Washington DC, VA Medical Center suffered a physical record theft that exposed 1,062 individuals.
We’re seeing breaches in healthcare like that, both large and small, all too often.
It’s happening at a critical time for the healthcare industry. Billions are being invested in technology to help patients and providers make better decisions and to clear away much of the wasteful paperwork and clumsy workflow that has plagued the healthcare market for years. The challenge in the next few years is to secure these systems so that lax security in the industry doesn’t derail the progress that could be made with electronic health records and the convergence of the Internet of Things with medical devices.
According to a report published last year by research firm Transparency Market Research, the Electronic Health Records (EHR) Market reached $15.56 billion in 2013 and is expected to hit $23.98 billion by 2020. And the more these records are shared electronically, the greater the risk for more, and even bigger data breaches.
Last year, more than 100 million healthcare records were exposed in more than 253 breaches in the US, according to the Office of Civil Rights (OCR) under Health and Human Services website.
Then 2016 started out hard on the healthcare industry with a series of breaches right after the calendar change, including Aventura Florida-based Elite Imaging on January 4, which involved 1,457 records. On January 5, the Portland, Ore-based Washington Hospital Healthcare System notified customers of a data breach to their system in the Washington Community Health Resource Library. This system is used to maintain library identification cards. The information compromised included names, addresses and driver's license numbers.
The very next day Brookville , NY AHRC Nassau suffered a data breach of 1,200 records when unauthorized disclosure of files containing personal information was exposed. The specific information compromised was not communicated.
Nearly every healthcare CISO I speak with tends to think the security in their organization is adequate, if not top notch. Yet the number of data breaches, like those detailed above, undermine confidence. Analysis by the Ponemon Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data found a staggering 89 percent of healthcare organizations have been breached in the past two years.
The survey analysis didn’t get much better from there. The survey also found that 79 percent of healthcare enterprises had at least two data breaches over the same period, while 45 percent suffered at least five data breaches in two years.
When it comes to the cause of these data breaches, it’s an even split between mistakes made by employees and partners and stolen devices (opportunistic theft of the device) and criminal attacks. The data commonly exposed are medical records. The average cost of a healthcare data breach during the two years analyzed reached $2.2 million.
Overall, companies in the healthcare sector are three times as likely to have a data breach than the average firm in any other industry. According to the FBI, the value of patient data is 20 times as high as financial data – most likely because the market is already flooded with credit card data. Credit card firms and banks have also greatly improved their ability to spot fraudulent activity.
The industry needs to find itself a data breach cure soon. Not only to fix the infections and data breaches, and curtail regulatory fines and all of the associated data breach costs - which are all bad enough – but, as noted above, the industry is also going through tremendous technological upheaval. More doctors, patients and hospitals are relying on technology to diagnose, deliver and manage care. Medical devices are becoming networked and wireless – and hackable. Patients are wearing medical devices that measure and report conditions back to their physicians. Hospitals and insurers are relying ever more on electronic medical and health records. And more patients than ever would rather contact their doctor by web form than filling out in-office forms.
As these levels of connectedness grow, so will the nature and significance of the data breaches. While the level of breaches so far has seemed bad as the industry moves toward the increased convenience and benefits of connected health, these breaches to date will look like the good old days.