How Securing Data Protects Your Hospital: A Guide
Before 2008, most hospitals had rooms filled to the brim with manila folders bulging with paper medical records. While paper records caused many inefficiencies and challenges, it would have been quite difficult to physically break into a file room and cart off thousands of documents undetected.
Fast forward to today. Hospital adoption rates for basic electronic health records (EHRs) have skyrocketed from 9.4 percent in 2008 to 83.8 percent in 2015, according to the Office of the National Coordinator for Health Information Technology. But the widespread use of electronic health records (EHRs) that makes information available to patients and other providers over the internet has also resulted in an epidemic of electronic healthcare data theft. In 2015, 253 healthcare data breaches affecting 500 or more individuals lead to a combined loss of more than 112 million records, according to the Health and Human Services’ Office of Civil Rights (OCR) “Wall of Shame” website.
A significant portion of these incidents were the result of criminal activity. A study by Ponemon Institute and IBM found that 48 percent of incidents in 2015 were caused by a malicious or criminal attack.
Security Breaches: Not If, But When
With IDC’s Health Insights Group projecting that one in three healthcare organizations will have their data compromised in 2016, data breaches have become a matter not of “if,” but “when” for most hospitals.
Records containing protected health information (PHI) are magnets for thieves because the data is more exploitable than, say, standard credit card information. When someone steals a credit card number, they might charge a few items. But banks usually catch on quickly and take immediate action to limit their losses.
Hackers who gain access to medical records can not only see credit card information but also a wide range of additional information including social security numbers, health insurance information, addresses, spouses’ names, children, and health conditions an individual wouldn’t want the world to know. Using information from medical records, criminals can fraudulently open multiple credit lines, create fake IDs, bill insurance or Medicare, use patients’ identities for free consultations, or pose as patients to obtain prescription medications that can later be sold on the street.
Worse still, because medical data theft can go on undetected for months or years, these criminal activities are unlikely to be shut down quickly. As a result, stolen medical records often fetch huge sums of money on the black market—at least $60 for each medical record, compared with $1 for individual credit card numbers.
Yet despite the high likelihood of a security breach, many hospitals fail to take security as seriously as they should until an incident happens to them. According to Healthcare IT News, while most healthcare providers have defined procedures for securing devices, 46 percent admitted that employees were not following these policies.
Given the sensitive nature of healthcare data, as well as all the regulatory and compliance requirements in the healthcare industry, it’s in your best interests to implement better patient data protection practices and ensure that employees follow them.
The Benefits of Protecting Patient Data with Secure Hospital Communications
Healthcare organizations that do put in place measures to secure patient data achieve significant benefits. They reduce financial and compliance risks, lower the risk of reputational damage, provide better quality care, improve patient retention, and more effectively foster health research.
Reduce Financial Risks
Stolen patient records are tremendously expensive for hospitals. The Ponemon Institute and IBM report found that the cost for each healthcare record stolen is $355—more than double the cost of a stolen record in the retail industry.
The financial pain comes in many forms. Expenses include:
- Detecting, investigating, and stopping a breach
- Performing hardware and software upgrades necessary to close security gaps
- Notifying impacted parties
- Paying for credit monitoring for the victims
- Compensating patients for injuries suffered as a result of the disclosure of medical records
Lower Compliance Risks
Healthcare organizations must comply with HIPAA and HITECH security regulations. HIPAA requires hospitals to secure 18 types of PHI, including name, address, contact information, date of birth, medical record numbers, health plan beneficiary numbers, and more. Hospitals are obligated to safeguard this data both “at rest” on a server, device, PC or laptop and “in motion” as it is being transmitted.
The cost of HIPAA infractions is high. Based on the level of negligence, penalties can range from $100 to $50,000 per violation or per record, with a maximum penalty of $1.5 million per year. Healthcare organizations that implement comprehensive security measures can significantly reduce compliance risks.
Cut Risk of Reputational Damage
If a breach occurs, HIPAA requires that hospitals disclose most breaches to affected parties and the government. And if the breach impacts more than 500 individuals in a particular region, they’re obligated to notify the local media as well. The specifics and timelines for notifications are impacted by both HIPAA and state guidelines.
HIPAA and state notification requirements put hospitals at risk for reputational damage. This is because mandatory press coverage for large breaches can keep the issue front and center for patients, employees, and business partners for months or even years. If a significant security breach occurs, patients, stockholders, and donors can lose confidence in the hospital. Once trust—which is difficult to build in the first place—is lost, it’s very difficult to rebuild. Patients are likely to vote with their feet and go to another hospital. When stockholders and donors defect, hospitals risk the loss of funding they need to deliver high-quality patient services.
Maintain Quality of Patient Care While Doing No Harm
Healthcare providers attempting to make the best decisions about medical care for their patients need access to all relevant information about their patients’ medical histories. At the same time, the Hippocratic Oath entreats physicians to protect patients from harm—a responsibility that extends to safeguarding patients’ information, privacy, and confidentiality. Cyber attacks can impede treatment or even actively harm patients by:
- Preventing physicians from accessing the data they need to make treatment decisions. Various types of attacks can make medical data unavailable to providers. Distributed Denial of Service (DDoS) attacks bombard web servers with so much traffic that they’re unable to handle legitimate requests for patient information. Ransomware is a form of malware that holds patient data hostage, withholding it from healthcare providers unless they pay a ransom to cybercriminals.
- Mixing a third-party’s medical information into a patient’s medical record. Medical identity theft can create dangerous health risks for patients. If a thief hijacks a victim’s medical insurance to receive treatment, the thief’s medical information will be mixed in with the patient’s legitimate information, creating inaccurate patient records.
- Incentivizing patients to withhold critical information. Without some assurance of privacy, some patients may hesitate to provide candid and complete disclosures of sensitive information to their physicians that can be essential to providing high-quality care.
- Inducing financial losses to the patient. Compromise of electronic medical records can lead to personal financial losses for patients. Patients might be tricked into paying someone else’s medical bills or they may bear out-of-pocket costs while fighting legal cases to prove cyber security claims in a court of law.
- Causing emotional distress. When personally identifiable health information is disclosed to an employer, insurer, or family member, it can result in stigma, embarrassment, and discrimination.
Hospitals looking to provide the highest quality of patient care and reduce patient risks need to maintain the integrity of electronic medical records and ensure availability to those who need access and are authorized to view clinical data to care for patients.
Foster Health Research
Hospitals are frequently involved in health research that helps them improve patient care over the long run. Individuals are more likely to participate in—and provide complete information for—this research if they believe their privacy is being protected.
The Time to Secure Patient Data Is Now
With all of the financial, compliance, reputational, patient care, and research benefits of protecting patient data, hospitals need to heighten their sense of urgency about security. The rule of thumb is to implement the most protection your hospital can afford, while recognizing that there’s a risk/reward tradeoff.