Lessons from 2018 Healthcare Data Breaches
Healthcare was hit hard in 2018, with a 158% year-over-year increase in the number of records compromised compared to 2017, and it doesn’t look to be slowing down anytime soon. In 2019, healthcare organizations have already experienced more than one data breach per day in January alone. The largest cause of the breaches was hacking, while other factors like unauthorized disclosure, theft and improper disposal were responsible for six of the largest breaches last year.
Healthcare Breaches on the Rise
Since 2009, when the U.S. Department of Health and Human Services (HHS) began publishing statistics on providers, health plans, and business associates, more than 59% of Americans have been victims of a healthcare breach. Over 90% of healthcare organizations have experienced a data breach since 2016, with nearly half having had more than five data breaches during the same time-frame.
A Targeted Industry
This steady rise of breaches clearly shows that the healthcare industry is increasingly being targeted. Why? First of all, the data is incredibly valuable. A single medical record yields an average profit of $20,000, compared to just $2,000 for credit card information. There is also a lack in sufficient security training for healthcare employees, which can easily lead to external attacks from malicious actors or internal breaches from employee negligence or simple human error. Lastly, because healthcare IT infrastructure must be highly connected for instant access to patient records, just one area being attacked in a hospital could bring down the entire network.
Record Year for Penalties
When it comes to penalties, 2018 was a record-breaking year with a whopping $25,683,400 in HIPAA fines. If a company has not taken appropriate measures to protect its private information, they will be held responsible. A recent study found that it costs healthcare organizations an average of $408 per each lost or stolen record from investigations, regulatory filings, loss of business, negative impact on reputation and employee time spent on recovery.
What lessons can we take away from 2018?
Be prepared. With the incredible amount of data breaches happening today, especially in the healthcare industry, organizations must cover all their bases. Make sure you are aware of your state’s privacy legislation and follow the HHS recommendations for devices or media that have reached their end of life to guarantee the proper security and destruction of protected health information (PHI).
- Develop a comprehensive data destruction policy for any media containing electronic device such as tablets, laptops, servers, hard drives and USB drives.
- Have a properly executed Business Associate Agreement with all vendors who manage any data or data-containing equipment.
- Use a certified provider for data destruction to ensure ePHI is properly destroyed and cannot be recreated.
- Ensure secure storage of data containing equipment and devices in an isolated area prior to transfer to external sources for disposal or destruction, or determine if onsite shredding is required by your provider instead.
- Ensure you have a clear chain of custody in place for all assets including accurately updated inventories that reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned.
- Ensure any asset tags and corporate identifying marks are or will be removed by your vendor.
- Ensure any individuals handling the organization’s assets have been subjected to workforce clearance processes and have undergone appropriate training.
A proper IT Asset Disposition (ITAD) and electronics recycling provider will help you stay in compliance with HIPAA and HITECH and prevent data breaches caused by improper disposal. As the only certified provider in South Dakota and North Dakota, SEAM has multiple safeguards in place to protect sensitive data on devices and electronic equipment when its ready to be disposed, recycled or resold. Contact SEAM online or call them at 605-274-7326 for a free security audit of your current program.