Why You Should Share The 2015 Data Breach Tally With Your Healthcare IT Clients
By Megan Williams, contributing writer
The numbers are in on the Office Of Civil Rights’ tracking of healthcare data breaches (via Forbes) and as expected, they aren’t pretty.
Here’s what last year’s healthcare data breaches (according to HIPAA reporting standards) look like:
- 253 breaches affecting 500 or more individuals
- 112 million records lost
- The top 10 breaches accounted for just over 111 million records lost, stolen, or inappropriately disclosed
- The top six affected at least 1 million people
- Four of those six were BCBS organizations
The Breaches
The majority of the breaches fell under the “unauthorized access/disclosure” category, but 90 percent of the top 10 were classified as a “hacking/IT incident.” Across the entire body of breaches, “hacking/IT incident” represented only 21 percent, and “theft” came in at 29 percent.
Anthem held its position as the largest breach with more than 70 percent of total records that were compromised, leaving another 33 million across all other organizations. Anthem though, minimized the impact to the people affected because it had at least five levels of cyber insurance, along with coverage of between $150 and $200 million.
Is HIPAA Working?
It would appear that HIPAA isn’t having the impact hoped after its 1996 passage. According to a ProPublica article: “But in reality, it is a toothless tiger. Unless you’re famous, most hospitals and clinics don’t keep tabs on who looks at your records if you don’t complain. And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS [U.S. Department of Health and Human Services] inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them.”
What’s Ahead?
This year promises more of the same unless changes are made throughout the industry. A separate Forbes article highlighted five areas in which the healthcare industry needs to make some changes:
- Too much focus on compliance
- Ignoring BYOD security issues
- Not spending enough on security
- Not prioritizing security across the organization
- Over- or under-simplifying IT systems
It’s likely that your clients house one, if not all of these issues. Start off 2016 with some very honest conversations about threat profiles as well as what steps they should be taking to keep their patient information as safe as possible.