This week Advisen looks at cases in the healthcare industry which has the second largest occurrence rate for cyber cases in the service industry, trailing only Business Services.
Health records contain highly sensitive information and are highly sought after by data thieves. As a result, the industry receives significant regulatory scrutiny from the U.S. Department of Health and Human Services (HHS). Despite the sensitivity of the information, and the regulatory scrutiny put on the industry by the HHS, the healthcare industry has a poor track record for data security. In fact, a recent survey of 91 healthcare organizations by the Ponemon Institute found that 90 percent of healthcare organizations have had at least one data breach in the past two years, and only 55 percent believe they have sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss or theft.
Over the past decade the healthcare industry has made significant strides in the broad based implementation of electronic medical records. This is a move that many consider a positive in terms of providing quality and cost of care, but it also is one that has increased the risk of a breach of protected health information (PHI). Just recently the FBI issued two alerts to the healthcare sector warning of increased risk of cyber-intrusions, especially when transitioning to electronic medical records.
The chart below shows the number of cyber-related cases in the healthcare industry over time. A sharp upward trend that peaked in 2010 has since declined. The decline may be in response to increased enforcement of privacy laws such as HIPAA and HITECH by the HHS and the imposition of larger penalties for improper disclosures.
Just recently the HHS imposed the largest ever HIPAA fine on two New York Hospitals to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their network.
The dominant cyber case type in the healthcare industry is “digital data breach, loss, or theft,” which makes up approximately 60 percent of healthcare-related cases tracked by Advisen. This is perhaps not surprising since the Ponemon study revealed that only 55 percent believe they have sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss or theft.
Lax security standards, the transition to electronic medical records, the increased use of mobile devices and internet connected medical devices, and the high financial payout for medical records in the black market, all likely contribute to “digital data breach, loss, or theft” being the dominant case type in the healthcare industry.
Hospitals have by far the highest relative occurrence rate within the health care segment. The relative occurrence rate is derived by taking the number of cases over the number of a particular healthcare facility type (i.e. hospitals, doctor’s offices, nursing and personal care facilities etc.). It makes sense that hospitals have the highest relative occurrence rate considering they tend to have more patients (and hence more patient records) than other healthcare facilities.
When a breach occurs, however, hospitals are only slightly more likely to be involved in litigation than other healthcare facilities as litigation is more evenly distributed compared to occurrence.