Technology has left an indelible imprint on health care delivery, improving the accuracy and accessibility of patient information, but what about the risks? Consider the following scenarios:
- A hospital nurse lost an iPad containing the names, social security numbers, medical conditions and other protected health information for 25,000 patients vaccinated against the flu.
- A physician group gave its billing company the names and health care spending account numbers of 450 patients. The billing company accidentally posted these files on its public website, where they remained until a patient saw the information.
- A physician office’s server, which contained unencrypted information on 2,500 patients, was hacked and encrypted. The hackers demanded $50,000 to unencrypt the information and return control of the server.
Stories like these are a reminder that not all data breaches are created equal. Health care organizations have access to sensitive data regarding not only patients’ finances, but on their health as well. Unfortunately, while health care data breaches are more personal in nature, they’re also more common than most people think.
The numbers paint a startling picture:
- Medical identity theft is more lucrative than credit card theft. According to PhishLabs, a provider of cybercrime protection and intelligence services, stolen health credentials are worth about 10 to 20 times that of a U.S. credit card number.
- Forty-three percent of all identity theft is caused by medical records theft,according to a credit.com article, “Nearly Half of Identity Thefts Involve Medical Data.”
- The cost of a health care data breach averages $316 per record, well above the $201 per record for all industry segments combined, according to the Ponemon Institute’s “2014 Cost of Data Breach Study.”
For patients whose medical identity is stolen, the costs range far beyond the challenge of repairing medical records. Patients’ credit ratings can be damaged. Their health insurance policies could potentially be cancelled or their premiums increased. Worse yet, if the person who stole the medical identity changes the existing medical information, an individual’s health could be at risk.
For health care organizations responsible for safeguarding protected health information, the costs of addressing a breach range from notification and crisis management costs to potential legal action.
The HITECH Act (Health Information Technology for Economic & Clinical Health Act of 2009) has dramatically strengthened information privacy and security requirements for health care organizations. It has also heightened enforcement of the rules.
For instance, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, did not require notification of a breach of medical information. Under HITECH, a breach is presumed and must be reported after the impermissible use or disclosure of protected health information. The only exception is if a documented risk assessment determines a low probability of a breach.
In addition, although individuals cannot sue under HIPAA, state attorneys general can now bring actions on behalf of their residents. HITECH also increases potential fines and penalties for a breach; the price tag ranges from $50,000 to $1.5 million per violation.
It’s not just health care organizations that are affected by HITECH. “Business associates” —third parties with access to patients’ medical data—are now also liable for data breaches.
Next page: Risk mitigation
Risk Mitigation: From the Top Down
The potential risks are significant, but the good news is that they can be reduced. Effective risk mitigation begins at the top. If senior managers make data security a priority, employees will likely do the same. Training and awareness programs, required under HITECH, help build a culture of data protection.
One critical, and constantly changing, element of a health care organization’s risk profile is mobile technology. Tablets, smart phones and other devices make it easy to access and record medical information on the spot—but they also increase risk. A mobile device security policy communicates how employees are expected to safeguard sensitive data. If providers use their own devices on the job, a bring-your-own-device (BYOD) policy should be included. Encryption, while sometimes overlooked, adds a critical layer of protection for all devices.
Another way to mitigate risk is by reducing contractual liability. Health care providers should develop written indemnification agreements with all vendors and third party service providers and have them reviewed by outside counsel. Third parties should have data breach security controls comparable to those of the health care organization. These providers also should carry data breach or cyber insurance.
In addition, a written network privacy and security incident response plan has been proven to lower breach costs. Having an incident response plan reduces the cost of a data breach by $17 per record, according to the Ponemon Institute.
Given the frequency with which data breaches occur, cyber insurance from a carrier that provides robust risk mitigation and risk management support is also key. Look for a carrier that can provide referrals to qualified vendors and outside counsel with expertise in health care including loss prevention premium reimbursement.
As long as a lucrative market for stolen health care information exists, safeguarding that data will be a challenge. But by understanding the risks and taking steps to address them, health care organizations can keep their patient information safer.
Beth Strapp is a vice president and specialty health care segment manager for the Chubb Group of Insurance Companies. She can be reached at firstname.lastname@example.org.