A new study of HHS statistics on data breaches reported from late 2009 through 2016 published by JAMA Internal Medicine provides new insight into who is most vulnerable to data breaches in the healthcare industry. In addition to larger hospitals with a high bed count, the study revealed that teaching hospitals are more likely to be a prime target for data breaches; analysis showed that of the 141 acute care hospitals that reported breaches, 52 were major academic medical centers, making up more that a third of all affected organizations.
The study, which analyzed data over a seven-year period, was mostly made up of covered entities, who reported 1,225 of the 1,798 recorded breaches, with business associates, health plans, and healthcare clearinghouses making up the rest.
A small number of healthcare providers had suffered multiple breaches. Advocate Health, based in Illinois, was breached on two separate occasions, with more than 4 million records being compromised. The University of Rochester Medical Center and Affiliates and Montefiore Medical Center, both located in New York, were each breached four times. The study also found another four hospitals had reported three breaches each, with 15% of all organizations being breached more than once.
At twenty-four of the breached hospitals, the personal information of at least 20,000 individuals was compromised, and at six hospitals, more than 60,000 individuals were affected. The HHS data breach database only holds information on breaches of 500 records or more, the minimum number of compromised records before an organization has to report the breach, so in reality, it is highly likely that significantly more incidents have occurred than are included in this study.
Lead researcher, Ge Bai, assistant professor at the Johns Hopkins Carey Business School said:
“Data breaches negatively impact patients and cause damage to the victim hospital. To understand the risk of data breaches is the first step to manage it. It is very challenging for hospitals to eliminate data breaches, since data access and sharing are crucial to improve the quality of care and advance research and education.”
This statement may alarm healthcare providers, and while there may not be a way of completely preventing a data breach, there are a number of ways to reduce the risk, including:
- Conducting regular employee training to ensure that staff are aware of tactics and hacking techniques deployed by cyber criminals (such as domain spoofing, Malware, Ransomware, and phishing scams.)
- Investing in data loss prevention controls and activities such as encryption of data when in rest and during transit.
- Frequent testing and updating of all IT security software, firewalls, and other endpoint security methods.
- Ensuring that strong passwords and multi-factor authentication methods are in place when accessing PHI.
- Put strict BYOD policies in place to prevent employees from accessing PHI via non-secure methods.
- Storing and transmitting PHI via a secure method; if managed by a third party provider, it must agree to sign a Business Associate Agreement (BAA) to ensure HIPAA compliance.