Skip to main content

5 Steps to Preventing Security Breaches

 |  By Lena J. Weiner  
   March 20, 2014

Medical records are a high-value commodity, fetching up to $50 each. Medical data breaches are being reported ever more frequently. Risk assessments and basic IT and social media policies can help protect your organization.

Eight computers were stolen from medical billing contractor Sutherland Healthcare Solutions in Torrance, CA, on February 5, 2014. A month later, the week of March 6, many patients received letters on Sutherland letterhead alerting them that their personal data, including first and last names, social security numbers, and billing information—and possibly their dates of birth, addresses and even their personal medical information and diagnoses—had potentially been compromised. As many as 173,900 patients may be affected.

Medical records are a high-value commodity. While social security numbers go for about one dollar each on black market websites, medical records can fetch as much as $50 each, according to the Medical Identity Fraud Alliance.

The information in a medical record is an identity theft goldmine, including social security numbers, a home address, and date of birth, which is useful for committing generic identity theft. A more specific kind of identity theft, in which a patient's medical records are resold to uninsured patients who are desperate to access medical care, has been particularly lucrative.

Medical data breaches like the one in California are being reported more frequently. Since 2009, there has been a 138% increase in HIPAA data breaches, according to healthcare IT security firm Redspin.

But is this increase due to more breaches actually happening, or simply better reporting? Since last year, the penalties for not reporting a data breach have increased along with the number of reported breaches.

Lee Kim, director of privacy and security at HIMSS, says that while it's still unclear whether the number of breaches is growing, healthcare leaders should assume the numbers are accurate until we learn otherwise. "The number of breaches and quantification surrounding them depends upon who is responding, what the culture is about reporting such breaches within the organization, and the rate of detection of looking for these incidents," Kim says.

The number of breaches depends heavily on sources, how adept they are at catching the infiltration to begin with and how dutifully they report the breach to begin with, she says. "There's something to be said for how on our toes we are regarding reporting breaches quickly. Are we being proactive enough?"

Five ounces of prevention
Kim has the following tips for avoiding theft of your patients' medical identities:

  1. "You should be doing regular risk assessments," she says. "Remediate and mitigate risks. Consider all risk factors inside and outside of your organization, including all factors relevant to a mobile workforce." Kim adds that mobile computing, VPNs, and cloud computing can all be added risk factors employees might not immediately consider.
  2. Perform simple measures like ensuring routers are set up correctly, install firewalls properly, and change your passwords frequently. These steps alone can prevent many breaches. Since most healthcare organizations don't operate at a huge profit, other expenses tend to take priority over recruiting IT staff and installing strong security systems—but spending a little extra on hiring the right people for this job and ensuring an adequate technology budget can pay off.
  3. The distributed nature of healthcare makes it vulnerable to breaches—not only does a doctor's office have access to records, but also hospitals, insurers and billing contractors like Sutherland Healthcare Solutions. While some of this is simply the nature of the industry, Kim adds that it's a good idea to regularly inventory all "containers" of information, then remediate and mitigate the risks as needed.
  4. "Strengthen your social media and file sharing policies," implores Kim, adding that all organizations need official acceptable use policies.
  5. Being familiar enough with your system to know you've been breached isn't as easy as it might sound, but it can mean the difference between proactively notifying clients early and notifying clients only because it's required by law or regulation—which is not good for consumer relations. "Is your team looking for breaches or security incidents proactively? What are your organization's technological capabilities? Even if they have the ability to determine they've been breached, what's their process if there's a possible incident or breach?" Kim asks. Have an action plan in place in case a breach does occur, too.

Of course, preventing breaches from happening is the ideal, in which case the IT team may not see or hear anything. "If it's a well-oiled machine, you won't hear the engine cranking," Kim says, adding that many potential breaches are prevented by the expert security professionals. "There's a hidden battle going on.… Sometimes, the security pro is the unsung hero."

Lena J. Weiner is an associate editor at HealthLeaders Media.

Tagged Under:


Get the latest on healthcare leadership in your inbox.