Patient Privacy is in Jeopardy: Data Breaches, High Payouts, and PHI
How important is a patient's privacy? If your organization is a healthcare facility, the instinctive answer that comes to mind is "Very important!" After all, a patient's privacy is the basis upon which a doctor/patient relationship is based.
Right?
When it comes to patient data, the real answer may surprise you. While, of course, organizations take steps to safeguard the data they collect and store, the fact remains that PII (personally identifiable information) and PHI (protected health information) are attractive targets for hackers. Changing trends in the causes behind healthcare breaches is conveying that PHI is a proverbial treasure trove of sensitive information.
Changes in the Nature of a Data Breach
The 2021 Data Breach Investigation Report from Verizon found that the healthcare industry is undergoing a shift in how data is breached: there has been drop in breaches caused by malicious internal actors, but the industry is still plagued by human error that leads to data breach and, worse, external threats are on the rise.
The healthcare industry is consistently one of the most-targeted industries by hackers, and is frequently named as the most expensive industry when it comes to a data breach, with an average breach costing 7.13 million USD in 2020, an 11 percent increase over 2019. In fact, 2020 was the worst year ever in terms of healthcare data breaches. The industry experienced exposures at a rate of nearly two per day. Why is the healthcare industry at risk?
Underprepared Systems and Vulnerabilities
Healthcare systems, hospitals, and physician organizations themselves report that they’re ill prepared to respond to cybersecurity threats, or don’t have the appropriate safeguards in place. Approximately 73 percent of the healthcare providers surveyed by Black Book Research are vulnerable to a data breach in 2021, an increase of more than 300 percent versus the previous year.
The healthcare industry is between the frying pan and the fire: aside from being unprepared to combat existing and known threats, it also has to be proactive about protecting against new ones.
Slow Containment
Another alarming statistic is that the healthcare industry typically takes the longest to identify and contain a data breach, at 329 days. For comparison, the average breach takes 280 days to contain, while the fastest industry, finance, typically identifies and contains data breaches in 233 days – nearly 100 days more quickly.
Is the Protection of Patient Data a Priority?
Although IT spend specific to cybersecurity products and services is increasing, according to Black Book Research, 82 percent of hospital CIOs, along with 90 percent of practice administrators, say they are not spending enough to protect patient data from a breach.
The study expands on this, reporting that most healthcare organizations have neither the staff nor the technology to adequately protect their patients' information. Problems include outdated systems, few cybersecurity policies, and untrained staff or small teams.
By leaving their IT teams ill prepared to set up sufficient defenses – let alone respond to a breach – healthcare organizations are sending the unfortunate message that patient data is worth the gamble that their organization won’t be the one targeted.
Related Reading: 8 Ways to Protect Your Healthcare Organization from a Data Breach
Why don’t HIPAA and HITECH, two U.S. regulations meant to guide organizations that handle patient data, help in the fight for better data security?
1. HITECH Rules Fail to Ensure Protection
HITECH (Health Information Technology for Economic and Clinical Health Act) encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, many organizations have either completely implemented EHR or plan to fully implement it soon.
Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and indeed open new avenues for breach. In one instance, an EHR vendor co-opted the meaning of PHI by defining information uploaded by patients as fair game for marketing and advertising usage, while information uploaded by the healthcare provider was solidly PHI.
Because HITECH only narrowly defines the group of “covered entities” that must protect patient data, it has been interpreted by third parties as only protecting PHI when the data is recorded or used by one of the defined covered entities.
2. HIPAA Needs Modernization
HIPAA was passed in 1996 and amended to add HITECH in 2009. Since then, the ways consumers use social media and technology has evolved, and the privacy laws haven’t kept up. Whether the gaps in the current versions of HIPAA and HITECH need a new amendment to fill them or a new interpretation to continue to protect patient data remains to be seen, but it’s clear that some changes are needed:
- PHI and PII should always be protected, no matter who created or holds the data.
- Individuals should have the right to access, amend, and delete PHI, as well as adjust disclosure options.
- Data should be secured, with clear delimiters of who is allowed to access the data, their obligations, and liabilities.
Data is everywhere, and patients can support better data security by using smart passwords, ensuring the sites they’re using are secure before entering sensitive information, and safeguarding their health information.
Related Reading: Can HIPAA Certified Solutions Really Guarantee Compliance?
3. Unintentional Actions are a Primary Cause of Breaches
IBM’s annual report found that the root causes of healthcare data breaches is approximately 50 percent malicious attack, 27 percent human error, and 23 percent system glitch. Misdelivery (when the wrong recipient receives sensitive information) is one of the main causes of human error data breaches.
It would seem, with the use of EHR systems, that technologies should be deployed to assist in these unintentional breaches. User access (both within systems and physical access), firewalls, intrusion prevention systems, monitoring systems, and encryption are all tools that organizations can put in place to limit inadvertent access or sharing.
Protecting Data with Encryption Technologies
Encryption technologies are valuable for both compliance purposes and the prevention of unintended disclosure. Encryption for data at rest is one of the key technologies that HITECH specifically identifies as a requirement, because an encrypted file cannot be accidentally examined without the appropriate credentials.
In addition, some tools that help with encryption, like GoAnywhere Managed File Transfer, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that if an intrusion breach occurs, the scope and seriousness of the breach can be assessed quickly and confidently.
Related Reading: How GoAnywhere MFT Helps the Healthcare Industry Thrive
When looking for solutions that can safeguard patient data at your organization, it’s important to look for identity and access management, security and integrity monitoring, virus and malware protection, and detailed audit logs.
Is Your Patient Data Protected?
So how important is a patient's privacy? We believe it's vitally important. It might be time to secure your file transfers with a managed file transfer solution.
See how a managed file transfer solution can help you meet HIPAA compliance requirements and simplify your electronic data transfers in our guide, How MFT Addresses HIPAA Requirements for ePHI.