February 16, 2016

5 Big Surprises in Healthcare Security

With breaches of personal data appearing in the news every day, new trends continually emerge across varying industry sectors, but the spotlight has consistently fallen on healthcare as one of the most likely sectors to suffer from data breaches. In 2014 the Information Commissioner's Office investigated 517 potentially serious breaches of the Data Protection Act across UK healthcare institutions, more than any other industry.

Data security in the healthcare sector is particularly important because of the detailed and often sensitive information that patient records contain, making it easier for criminals to commit identity theft. Two new US reports examined the issue in detail and uncovered a few surprises about health data breaches – underlining the fact that you can’t paint all data breaches with the same brush.

Here is what research showed about healthcare security and data breaches:

Not just Healthcare Industries: The 2015 Protected Health Information Data Breach Report by Verizon showed that 90% of the industries studied have experienced health data breaches. In fact, many organisations outside of the healthcare sector collect sensitive health information (in employee records or for private medical insurance for example). Another US study, the State of Healthcare Information Security 2015 survey, showed that business associates taking inadequate security precautions with medical records are a threat too.

By the Numbers: Verizon reviewed 1,931 incidents from 25 countries comprising at least 392 million patient records. But the total number of compromised records might be much higher – 24% of breached organisations did not provide the exact number of records involved.

Physical Breaches the Most Common: The Verizon data showed that lost or stolen assets, privilege misuse, and miscellaneous errors such as information misplacement, disposal errors, and publishing mistakes, caused 86% of all breaches of patient data. 

People, not Hacks: The State of Healthcare survey showed that human error – and often insider misuse – was responsible for more breaches than hackers in healthcare. “We spend millions on new technology, countless hours on policy writing, and engage all stakeholders to enhance their awareness,” wrote Dr. John D. Halamka in an online post. “Yet, we’re as vulnerable as our most gullible employee.”

What are healthcare privacy and information security best practices for organisations that handle personal data?

  1. Understand requirements of legislation covering patient health records including The Data Protection Act 1998, The Access to Health Records Act 1990 and The Medical Reports Act 1998.
  2. Implement a security strategy, and put it in writing. The State of Healthcare report showed that only 57% of healthcare organisations have a documented information security strategy.
  3. Increase and improve employee training on data and security issues.
  4. Implement early detection tools such as intrusion/misuse detection.
  5. Update business continuity and disaster recovery plans.
  6. Implement mobile device security policies and procedures including encryption and other end point protection.
  7. Check that any vendors or third-parties have carried out appropriate healthcare IT risk analysis, and that they are properly safeguarding your personal information too.
  8. Partner with a reliable document destruction company that has a secure chain of custody and helps you comply with the latest legislation.

Today all industries must have a comprehensive document management process that protects patient records from document creation to document disposal.