With the growth of the internet into every aspect of our lives, the risk of data breaches is increasingly becoming a concern, and the healthcare industry has much to lose from failing to protect personal data. In fact, the statistics for healthcare-related data breaches are nothing short of alarming. For example, Crittenden Research suggests that the annual number of healthcare breaches increased from 160 to 333 between 2010 and 2014. The Ponemon Institute’s study on Privacy & Security of Healthcare Data found that over a two-year period, 65% of healthcare organizations experienced electronic security incidents, and 54% experienced paper-based security incidents; more than 90% had at least one data breach, and 40% had more than five. They estimated that the health care industry accounted for 44% of all 2013 data breaches – more than any other economic sector. The average data breach cost for healthcare was $359 per-record. And remember that an individual breach can affect an enormous number or records — in 2015, the number of affected records was estimated at 112 MILLION.
Health organizations hold a variety of confidential personally identifying information (“PII”) that can be damaging in the wrong hands. Information such as names, addresses, dates of birth, and Social Security numbers can be used for identity theft. Additionally, health records include data related to patients’ overall physical condition, disease states, medical ailments, disabilities, and insurance.
Why Now?
A number of factors contribute to making this kind of information more accessible and vulnerable today than in the past. Even developments such as the Affordable Care Act provide incentives or even require healthcare providers to digitize patient data. Ideally, this is to facilitate better care, allowing your medical information and history to be reviewed by any attending physician anywhere in the country. But this same information has such a high black market value that even greater emphasis will be required to keep them secure. Cybercriminals already recognize both the value of health data and its availability.
What Can We Do?
A good security management program can help organizations to identify their own security holes and threat environment, and implement a mitigation strategy to reduce potential harm to both the entity and its patients. Many of these systems share key features, many of which are mandated by state or federal law. Security risks of this nature are evaluated in the context of these programs, and plans are established both to prevent breaches, as well as respond to any breaches that take place.
In addition to improving security for everyone’s sake, health organizations also need to protect themselves. Data breaches are not adequately covered by general medical malpractice insurance contracts, which tend to have modest provisions for cyber liability and data breaches. With the potential (and already realized) costs of these kinds of breaches, cyber-liability insurance starts to take its own place in the spotlight. Standalone insurance policies with sufficient limits are both available and relatively affordable; and if a data breach occurs, the policyholder works with a data-breach coach who coordinates a rapid response. Some cyber-liability policies also cover fines, penalties, and third-party lawsuits, but with a response team on both the part of the business and it’s cyber-liability underwriters, additional or ongoing damage tends to get mitigated rather quickly. In this way, the insurance policy doesn’t just cover damages, it can also reduce them.
The industry simply has to insure itself, and it’s patients, against the threat and damage of a data breach. It just good sense, and good business.
Support InfoStride News' Credible Journalism: Only credible journalism can guarantee a fair, accountable and transparent society, including democracy and government. It involves a lot of efforts and money. We need your support. Click here to Donate