About 94% of health care organizations have had at least one data breach in the last two years, and experts warn that more targeted cyber-attacks are likely on the way, making the task of protecting patient data more challenging.
>> Also see: The IT Suite's Ernie Hood explains why data breaches are inevitable and how you should prepare
According to a report by the data security firm ID Experts, 12.5 million individuals were victims of identity theft in 2012, compared with five million individuals in 2003. Experts say that increase reflects the changing nature of most health data security breaches, which have evolved primary from human error to sophisticated cyber-attacks.
Hackers and cyber criminals are especially targeting personal health information (PHI), which is inherently valuable and relatively easy for thieves to obtain, according to Rick Kam, president and co-founder of ID Experts.
"These criminals essentially are finding ways into those systems to go after very specific pieces of data, and using that data to create bigger frauds," Kam told American Medical News. He notes that several studies suggest that medical records hold an average black market value of $50 per record.
Despite safety efforts, data has become easier to access
As data has become more easily transportable to unsecured smartphones, laptops, and tablets, thieves have had more opportunities to target sensitive information, experts say.
"The proliferation of mobile devices presents a whole new threat," says James Christiansen, the chief information risk officer at risk management firm RiskyData. He added that the devices "are woven into the fabric of the enterprise computing environment, but we don't have the needed controls at the enterprise level yet."
Adams: What providers need to know about data security
Experts anticipate that data breaches will become more frequent and more severe before the problem is resolved. Kam worries that the statewide health information exchanges will become a source of breaches because many are short on funding and might lack the ability to safeguard their data.
What hospitals can do
Although state and federal laws in recent years have created more awareness of data risk, many health care organizations are relying too much on technology to protect their information when they should focus on using the systems correctly and streamlining employee training, says John Sileo, CEO of data security consulting firm Sileo Group.
Kam recommends that more attention be paid to training business associates. Starting in September, business associates will be subject to the same enforcement penalties as other HIPAA-covered entities.
Additionally, Robin Slade of The Foundation for Payments Fraud Abatement & Activism stressed that organizations need to develop incident response plans that include long-term monitoring programs (Lewis Dolan, American Medical News, 7/29).
Next in the Daily Briefing
What is 'cancer'? Experts may redefine what counts