by Jay Hodes, President - Colington Consulting
The last time the U.S. Department of Health and Human Services (HHS) released statistics on how HIPAA breaches occurred, the figure showed that only 8% of those reported breaches were due to hacking. With the recent high profile cyber breaches at Blue Cross Blue Shield providers Anthem and Premera, that low percentage of reported hacking breaches will unfortunately rise the next time HHS releases those figures.
In general, cybersecurity threats continue to grow across not only healthcare sectors, but all public, business and government sectors. The rewards of hacking far outweigh the limited risk involved to fraudulently obtain personal and financial information. When Verizon released its recent 2015 Data Breach Investigations Report, the estimated financial loss for these types of breaches was $400 million from 700 million compromised records. Verizon pointed out the “importance of managing data breach risks.” Here are a few of the significant findings of the report:
- 60% of the incidents were attributed to errors made by system administrators – prime actors responsible for a significant volume of breaches and records.
- 95% of these incidents involved harvesting credentials stolen from customer devices, then logging into web applications with them.
- In 60% of the cases, attackers were able to compromise an organization within minutes.
- 23% of recipients now open phishing messages, and 11% click on attachments.
When it comes to HIPAA and healthcare, providers must do a better job managing risk to protected health information. If a healthcare provider is a Covered Entity (and most are these days), a HIPAA risk assessment must be conducted on an annual basis. The assessment determines vulnerabilities and threats to electronic health records. Having the proper safeguards in place to prevent breaches from occurring is critical. Conducting IT related penetration testing is vital.
Although dental providers maintain and transmit less electronic patient information than traditional medical practices, breaches still do occur. Last March, Advantage Dental of Redmond, Oregon, announced hackers successfully infiltrated computer systems and may have accessed over 151,000 patient records.
Cybersecurity insurance is another way a healthcare practice can be helped if a breach should occur. According to a 2014 NetDiligance Cyber Claims Study, the average claim payout is $733,109 while in the healthcare sector that amount almost doubles to $1.3 million. Although insurance can assist after a breach does occur, it is still best to be proactive when it comes to protecting patient records.
It is necessary to conduct a HIPAA risk assessment, but so much more is needed in order to have a comprehensive compliance program in place. Having the proper policies and procedures, along with workforce security awareness training, is critical.
The ultimate goal is to prevent a breach from occurring. But if it does happen, being prepared in advance will certainly help. Make sure your Breach Notification Policy is up-to-date and easy to understand. Review your cybersecurity insurance policy with your agent to make sure the coverage is adequate. If no policy is in place, consider purchasing one.
As Linda Sanches, Senior Advisor in the HHS Office for Civil Rights for Security and Breach Notifications Audit Program recently said, “Everyone is going to have a breach. It is just a matter of when.”