Prioritizing Security & Privacy in Healthcare Sector
Physician offices, hospitals and health insurers take practical steps each day to protect private patient health information (PHI) and comply with HIPAA regulations. Anyone interacting with patients and regularly accessing or discussing confidential medical records is obligated to adhere to certain requirements to uphold privacy and security.
For example, employees must be mindful of what is said aloud pertaining to an individual patient. Doors must be closed when patient conditions, treatments and procedures are discussed in person or over the phone. Staff should never leave voice mails with specifics about patient health conditions or test results. Even simple acts like summoning patients from the waiting room must be carried out with patient discretion in mind.
Failure to do this can result in a reported HIPAA breach that can be accompanied by potentially heavy monetary fines and often-irreparable reputation damage. The industry’s need to prioritize the integrity of patient data is even more pronounced in this time of flux within the healthcare sector.
Transitioning to the Electronic Age
Healthcare service providers today are in the process of converting all paper medical records to electronic health records (EHRs) or electronic medical records (EMRs) to meet the meaningful use requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA incentivizes the healthcare sector to accelerate the adoption of enterprise-wide electronic medical data by 2015 or face possible penalties.
We are entering a period in our history where volumes of confidential patient health information (PHI) will be stored, shared, and accessed electronically for the very first time ever. There has never been a more critical time for healthcare service providers to ensure that patient rights are protected, confidential information is safeguarded, and this transition from the immovable locked file cabinets to today’s electronic-system is completely HIPAA compliant and secure.
How HIPAA Breaches Most Commonly Happen
The U.S. Department of Health’s Office of Civil Rights found that there have been 21 million HIPAA security breaches since 2009. These breaches have resulted in an average of 2,769 records being lost or stolen per breach. Among them:
- 48% were stolen medical files
- 48% were stolen billing and insurance records
- 20% were stolen prescription details
- 13% were stolen monthly statements
- 24% were stolen patient billing/payment details
- 19% were stolen payment details
During this period, 66 percent of the reported large-scale HIPPA violations were due to the physical loss or theft of electronic equipment or storage media such as a laptop or flash drive that held unencrypted PHI. Another 8 percent of the large-scale HIPAA breach incidents were the result of hacking and cybercrime.
Physical Theft
Based on the above findings alone, one can come to the obvious conclusion that storing such unencrypted data on a physical hard drive or any portable storage media device elevates the risk of an HIPAA breach. Therefore, eliminating the need to store or transfer this data on equipment such as laptops or flash drives should significantly minimize the risk of many of the HIPAA violations reported today.
Cybercrime
Cybercrime is a growing threat within the healthcare sector since the industry has been slow to adopt new technology. According to the Identity Theft Resource Center, there were 17 reported financial industry data breaches in 2012 compared to a reported 154 healthcare industry breaches during the same time frame. The aging technology commonly used by healthcare service providers is rife with software and security flaws making it susceptible to data breaches resulting from hacking and other cyber-attacks.
Data thieves view private medical records as a high valued commodity – a gateway to identity theft. Safeguarding this data is challenging. With the shift to electronic records, data thieves have upped their game, finding new ways to gain unauthorized access to patient data by exposing vulnerabilities.
Defending against cybercrime requires constant monitoring for intrusion attempts and security upgrades. In this era where the volume of stored data is increasing, new cyber threats seemingly surface every day, and there is continuous demand to comply with regulations; healthcare service providers securing their own infrastructure will inevitably become overburdened and more vulnerable to attacks and HIPAA breaches.
The Case for Moving Data to the Cloud
Although many healthcare service providers have shown a reluctance to abandon their in-house IT infrastructure and security measures, on premise data center attacks are proving to be more prevalent, costly, and difficult to rebound from.
Healthcare providers who have resisted the cloud due to privacy and security concerns could be making a grave mistake. Increasing evidence suggests that the cloud can actually enhance data security. It does this while also freeing up manpower and budget dollars that can be better allocated toward the principle objective of improving patient care.
Proactive Remote Monitoring
Leading cloud-service providers offer an around-the-clock remote monitoring service that maximizes uptime while monitoring each node in the cloud infrastructure, each access point, and the data center platform as a whole. This is an extremely important function that detects and addresses potential issues before they become serious breach incidents. Metrics are collected and alerts are triggered whenever faulty conditions such as a data backup failure or an authorized attempt to access data are detected.
CLICK HERE for a free network assessment and see how your sensitive information can remain secure in the cloud.