HIPPA, Hacking and Health Information Security
By Tamer Abouras
It seems as though almost every time you open up the news these days, there’s a headline about some high profile organization or government having been hacked and the private information of many people being either lost or compromised in the process.
Whether it’s Sony or users of Ashley Madison, there is more and more a prevailing sense that very little digitized information isn’t at least somewhat vulnerable to an attacker who’s seeking it. And perhaps no sector has been more under siege, especially recently, than healthcare — and specifically the gatekeepers of health information.
SEE ALSO: Cyber Threat Detection
Per the Ponemon Institute and ADVANCE’s own reporting, more than 90% of healthcare organizations have suffered a data breach, with more than 40% of those occurring in the last three years. Let that sink in: if you’re an HIM professional, there’s a nine in ten chance your company has suffered a data breach. And if it hasn’t yet, lookout, because odds are it won’t stay that way for long.
It isn’t merely a matter of stolen, lost, and compromised information, however — at a fundamental level there is a disconnect within these organizations as to just how secure they are and how secure they ought to be.
In the SecurityMetrics HIPAA Security Rule Report, a survey of C-level, risk officers, and IT managers revealed a “10-20% gap between what executives believe is happening in regards to patient data security in the organization, and the reality.”
Among other key insights from the report, which can be downloaded here, it was revealed that “80% of respondents believed their organization to be fully HIPAA compliant, even while most surveyed were missing key elements of compliance with the HIPAA Security Rule.”
Probably the most startling, troubling fact that the report bore out was the fact that in spite of C-suite confidence in data integrity, only 60% of risk and compliance officers could attest to their organizations having developed and readied a HIPAA Risk Management Plan. Just yesterday, the University of Oklahoma’s Department of Urology lost the supposedly confidential information of over 9,300 patients who’d been cared for by OU Medicine between 1996 and 2006.
So this sort of thing happens with scary regularity and yet, there doesn’t seem to be an appropriate level of concern. It’s almost as though there’s a cottage industry of people covering hacks and data breaches who subsist on writing handwringing pieces about the “need” for a sort of security that seems permanently out of reach; the hackers always seem to keep pace with the good guys.
Whether it’s denial on the part of some of executives or just a certain desensitization and feeling that perhaps this isn’t quite as dangerous for patients and consumers as, say, having one’s credit card data stolen, the reality is that the costs associated with a person’s medical information being stolen can actually be every bit as bad and then some — but the bills are often back-loaded.
According to Healthline’s Shawn Radcliffe, “the going rate for stolen health credentials is up to ten times the value of stolen credit card information.”
He continued, saying that “unlike stolen credit cards, which can be easily canceled and fraudulent purchases more quickly detected, once your personal medical information is stolen it’s difficult to put the genie back in the bottle. Many people are not even aware that their medical information has been stolen. It can take years until a collections agency goes after them for the cost of medical services that they never received."
Perhaps the biggest contributor to this current healthcare information crisis is the fact that so many of us are too quick to dismiss that we have one?
This article was one of our most popular of 2015. See the full list here.