By Rick Kam, CIPP, & Jeremy Henley
Given the growing prevalence of data breaches in healthcare, the theft of protected health information (PHI) has become a major concern for hospitals and practices across the country. Thieves value this “big data” for its profit potential—often reselling it to other thieves or using it for multi-million-dollar healthcare fraud schemes.
Three trends are contributing to the increased growth in the number and complexity of data breaches:
1. Growing dependence on business associates. Gone is the idea of “it’s easier to do it myself.” Economic realities are causing companies to outsource many of their functions, such as billing, to a business associate or third-party provider. Unfortunately, the more parties with access to privacy data, the more likely a data breach will occur.
We’ve seen this trend in healthcare, where growing liability and the extra-sensitive nature of patient health records make data breaches a particularly painful experience. Even if a business associate causes a data breach, the healthcare provider, is accountable for its loss or theft.
This problem is compounded by the lack of trust healthcare organizations place in their business associates: 69 percent of healthcare organizations who participated in a study on patient privacy and data security by the Ponemon Institute say they have little or no confidence in their business associates’ ability to secure patient data. In fact, several data breaches in 2011 point to errors caused by business associates. Yet it is the primary data owners that face class-action lawsuits.
2. Taking data to the cloud. To offset computing expenses, many organizations are outsourcing data processing to third-party cloud providers. For example, the cloud’s applicability for Health Information Exchange (HIE)—a main component of the Electronic Medical Records or Electronic Health Records (EMR/EHR) meaningful use initiatives—could contribute to the strong growth of cloud computing in healthcare, according to CompTIA.
As with business associates, cloud computing raises a host of security concerns, as well as challenges when responding to a breach. A cloud computing provider may deny access to its data centers during an investigation, or prohibit forensics from making a mirror image of a server—a common forensics method—because it may have multiple customers’ data on that server. A cloud computing provider may disclaim liability, leaving an organization to bear the brunt of the risk and cost.
3. Using personal mobile devices for business, or, bring your own device (BYOD). To save money and to simplify life for employees who don’t want to carry around multiple devices, companies are allowing the use of personal devices to store or process corporate privacy data. More than 80 percent of respondents in the Ponemon study say they use mobile devices that collect, store and/or transmit some form of protected health information (PHI).
Yet, half of the respondents in the Ponemon study say they don’t do anything to protect these devices. In addition, connecting a device with corporate privacy data to less-than-secure home networks increases the risk of a data breach. And the portable nature of mobile devices makes them all too easy to steal or lose. Many companies are developing BYOD policies to enable a certain level of security.
Economic realities and technological advances have forever changed the way healthcare organizations amass, use, and store their biggest asset—data. The increased dissemination of data to more people in less-secure environments puts that asset at risk for exposure. Smart hospitals and practices understand that risk, and are taking proactive steps to protect their data, their patients, and their good name.
Rick Kam, CIPP, is president and co-founder of ID Experts. He is an expert in privacy and information security, with extensive experience in leading organizations to address the growing problem of protecting PHI/PII and helping organizations how to remediate privacy incidents, identity theft, and medical identity theft.
Jeremy Henley is the insurance solutions executive for ID Experts. He has been certified by the Healthcare Compliance Associate for Healthcare Privacy and Compliance and brings a dozen years of sales, consulting, and leadership experience to the company.
For more information, visit www.idexpertscorp.com.