Thanks to the rampant digitization of healthcare data, breaches have become commonplace in an industry that lacks advanced security practices. In this industry-wide report, those who have dealt with breaches implore others to shore up internal security practices and be transparent. As one CIO keenly notes, “we’re all in this together.”
Here’s something that may keep your typical healthcare CIO from getting a good night’s sleep: the growing list of data breach victims on the federal Department of Health and Human Services (HHS) website. From breaches affecting 500 patients to those that impact millions, it’s an extensive catalog, which shows how even the most sophisticated provider and payer organizations are susceptible to this growing threat.
The list is part of HHS’ effort to make organizations more transparent when data has been breached. It’s existence is part of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act. While getting on the list is not exactly something leaders at any provider-based organization will ever want to achieve, for many, it could be only a matter of time. Even if it’s not a breach that affects 500 or more patients, the industry-wide consensus, from analysts to CIOs, is that unless an organization is aggressive in protecting its data, vulnerabilities are inevitable.
“If you don’t believe your data is at risk, you don’t know what’s going on,” John Halamka, M.D., CIO at the Boston-based 649-bed Beth Israel Deaconess Medical Center (BIDMC), says matter-of-factly.
John Halamka, M.D.
Michael ‘Mac’ McMillan, chair of the HIMSS Privacy & Policy Task Force, and co-founder and CEO of CynergisTek Inc., a health information security and regulatory compliance firm located out of Austin, Texas, says data breaches have become a near-weekly occurrence due to three main factors, all converging around the same time. The first factor is the rapid digitization of healthcare data, thanks to meaningful use and other regulatory mandates. Secondly, he notes that healthcare entities are still using manual, outdated processes for data protection. Lastly, he says, privacy and security is not the priority it should be.
“The overwhelming majority of breaches today are caused by carelessness or lack of attention to controls, or lack of attention by the organization,” McMillan emphasizes.
Statistics on data breaches are not definitive, but they are revealing. While the number of data breaches affecting 500 or more patients fell this past year by 32 percent from the previous year, the number of patients impacted by those breaches doubled, from 5.4 million to 10.8 million, according to data compiled by Kaufman, Rossin, and Co., a Miami-based accounting firm. Other studies have painted an even darker picture. The Ponemon Institute (Traverse City, Mich.) found in December of 2011 that data breaches have increased 32 percent year-over-year, with 96 percent of the healthcare organizations that were surveyed reporting that they experienced breaches during the last two years.
The most alarming report may be from security firm Symantec (Mountain View, Calif.), which looked at the top 10 sectors by number of data breaches in 2011. The healthcare industry was the unlucky “winner,” with 43 percent of the healthcare organizations reporting that they had breaches, blowing away the government industry, which was second at 13 percent.
Cost is another element, factoring into the weightiness of data breaches. According to the Pomenon study, data breaches are costing the healthcare industry an average of $6.5 billion on an annual basis. McMillan says the fine levied on an institution when they suffer a data breach is only a fraction of the actual cost.
Using an example of a breach that cost a provider organization just over $600,000 in fines, McMillan says, “More than that fine, they spent countless man hours in remediation activities, and they’ve reached a resolution agreement with the federal government that requires them to come up with a full time monitor for three years. That breach, between legal issues, resolution, remediation, etc. is probably costing them between $4-5 million.”
Infograph Data Provided by Kaufman, Rossin, & Co. and The Ponemon Institute
For a higher resolution image, click the thumbnail in the upper left hand corner above "Click to View Gallery"
While data breaches come in all shapes and sizes, for most healthcare leaders, the lessons learned are strikingly similar. In the case of Jim Turnbull, CIO of the four-hospital, integrated University of Utah Health Care system, the breach at his organization wasn’t even perpetrated by someone from within. Instead, a third-party organization was faulted for allowing the backup data tapes, which were being sent to a storage facility in the mountains, to be stolen.
The data tapes, which Turnbull says contained information on approximately one million patients, later turned up in the house of some small-time thieves. The data, which had been backed up, was not lost. Still, Turnbull said, the healthcare system, which had immediately begun the process of notifying patients, learned some lessons, even with the positive outcome.