According to the Identity Theft Resource Center, more than one-third of data breaches in 2016 (36.2 percent) occurred within the healthcare industry with 15,426,015 records being lost or stolen — nearly half (43.8 percent) of the total of compromised files for the year.
And these breaches routinely have a direct impact on patients.
Can your employees recognize a social engineering scheme when they see one? Read: Phishing Emails: How to Identify & Avoid These Scams
Research conducted by the Ponemon Institute found that among surveyed medical identity theft victims, 65 percent paid an average $13,500 to resolve the crime. These costs included, paying a healthcare provider for erroneous charges, repaying an insurer for services obtained by the identity thief, or covering legal costs related to resolving the fraud.
In addition, these patients routinely wasted more than 200 hours to secure and protect their personal medical credentials from further misuse.
With such a direct impact on the patient, it should come as no surprise that 79 percent of survey respondents stated that it was “important” for their healthcare providers to ensure the privacy of their personal medical information, and 48 percent indicated that they would likely change providers if their records were lost or stolen.
Further, despite HIPAA requiring medical agencies to provide notice to patients when a data breach had occurred, the Ponemon Institute found that, on average, victims didn’t learn about the breach from their healthcare provider until more than three months following the crime. And 30 percent had no idea when they became a victim.
What to Watch Out For?
Patient medical records are routinely a rich source of valuable information for identity thieves — often including social security numbers, full names, and primary addresses. According to research compiled by the Brookings Institution, “stolen medical data is sold at a much higher price as compared to other types of data such as stolen credit card numbers.”
In addition, due to government regulations, medical files are stored in large volumes and for an extended period, so if a criminal can compromise your cybersecurity, they have access to a much larger pool of data than from organizations in other industries.
Despite being a prime target, healthcare organizations routinely face the same threats as most modern companies:
- Phishing and other social engineering schemes
- Brute force hacking
- Weak passwords that offer easy access to criminals
- Lost or stolen disk drives, including USB memory devices
How Can You Protect Patient Records?
Employ a risk-based approach to your cybersecurity policies. Identify key targets, such as patient records, and create a hierarchical security structure that provides additional protection for these systems. If possible, implement analytics software to detect security events or threats, enabling IT staff to respond more quickly and mitigate damage.
Consider multifactor authentication — requiring a password as well as a separate passcode, such as a personal PIN number — to access patient files. And encrypt records, rendering patient files unreadable even if they are compromised.
The Brookings Institution also found that “Most of the breach incidents [among medical facilities] happen as a result of human error rather than technology glitches, and thus, it is very important to pay special attention to how employees interact with data.”
Establish clear data security and privacy policies that identify who is authorized to access patient records, and regularly communicate these policies to your staff. Also, provide them with regular cybersecurity training that covers sound password policy as well as how to identify and report social engineering schemes.
Vet the system
Test everything. Routinely run penetration tests on your cybersecurity systems, particularly those hosting patient data. If possible, contract outside security agencies or “white hat” hackers to attempt data breaches.
Send “false phishing” emails to staff, which will help identify how effective existing training programs are and any potential gaps in employee understanding.
Help your patients gain more control over their personal medical records. Make it easier for them to review their files and correct any errors they might contain. Also, any explanation of benefits (EOB) that your organization issues should contain information on not only how important it is to report errors but also how patients can do so quickly and easily.
While better educating patients will not likely prevent data breaches or identity theft, they will help to detect and resolve incidents more quickly, resulting in less direct harm to the patient and fewer expenses wasted on identity thieves.
The Next Step
By having your staff and patients join your cybersecurity efforts, your facility can better sensitive information and help fight identity theft and medical fraud.
To learn more about how we can help your organization build an effective cyber security awareness program, request a demo of our training services today.