5 Key Recommendations to Minimize Data Breaches

New Ponemon Study Reveals “Common-Cold Frequency” of Data Breaches

by Rick Kam, ID Experts

Let’s face it. Data breaches have passed the trend phase and have entrenched themselves into the fabric of everyday business. Data breaches in healthcare are now as common as the cold, requiring an ongoing approach to minimize their frequency, size, and impact.

The newly released Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute reveals that 94 percent of healthcare organizations surveyed suffered at least one data breach during the past two years. What’s more, 45 percent of organizations experienced more than five data breaches each during this same period.

Data breaches are expensive, costing the U.S. healthcare industry nearly $7 billion annually. For patients, the cost is more personal: Of the 52 percent of organizations that experienced medical identity theft, 39 percent say it resulted in inaccuracies in the patient’s medical record and 26 percent say it affected the patient’s medical treatment.

5 Keys to Protecting Your Organization

The Ponemon findings highlight the need for organizations to act now to secure protected health information (PHI) and protect patient privacy. The common occurrence of security incidents requires an ongoing approach to minimize their frequency, size, and impact. We recommend that healthcare organizations:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response procedures. Embedding breach-related processes into everyday business demonstrates what we call a culture of compliance—something regulators love to see.
  2. Restructure the information security function to report directly to the board. This move symbolizes a commitment to patient data privacy and security.
  3. Conduct combined privacy and security compliance assessments annually. A professional risk assessment is less than 1 percent the cost of the average data breach response, a wise investment by any standard. These assessments identify the gaps between an organization’s privacy and security profiles and what the law requires. An accurate assessment forms the basis for successful breach prevention and response measures.
  4. Update policies and procedures to include mobile devices. This is especially critical since, as we discussed, the vast majority of organizations permit employees and medical staff to use their own mobile devices—bring your own device (BYOD—to connect to their networks or enterprise systems such as email.
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, and cyber insurance. Third parties can be the weak link in the PHI food chain. In 2011, for instance, a business associate of TRICARE reported a breach affecting nearly 5 million military clinic and hospital patients. In addition, many organizations have sought relief from the high cost of data breach response with cyber insurance. An effective IRP encompasses third-party contingencies and the role of cyber insurance in managing a security or privacy incident.

Perhaps the most disturbing statistic is that 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Patient information is at risk, yet healthcare organizations continue to follow the same processes. For the trend to shift, organizations need to commit to this problem and make significant changes. These five steps are a good beginning.

Rick Kam, CIPP, is founder and president of ID Experts where this post was published. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.