How the healthcare industry is learning from data breaches
Not a day goes by without a discussion of the rapid increase in data breaches impacting the healthcare industry. Information and statistics in this regard are inescapable.
For instance, the so-called “Wall of Shame,” which is the public posting of breaches, recently crossed the 2,000 breach threshold. The Wall of Shame first came online in 2009 and took almost five years to hit the 1,000 barrier, but just needed another three years to hit 2,000. Clearly, the data show more breaches are happening more frequently.
While the Wall of Shame has now been around since 2009, there has not been a consistent, comprehensive source for information about healthcare data breaches. Sources are developing though, with the Protenus Breach Barometer being one of my favorites. The Breach Barometer is typically published on a monthly basis and highlights totals of known breaches from the previous month. Tracking the Breach Barometer reveals trends, which were highlighted in the recent mid-year Breach Barometer.
The highlights from the mid-year Breach Barometer are that insider issues and hacking incidents account for the vast majority of incidents. Insider issues can be broken into two large categories: inadvertent mistakes and malicious activities. The inadvertent mistakes could be sending to the wrong address, an email error or some other unintentional act.
To some degree, the inadvertent mistakes are unavoidable because no one can be perfect. A key with an inadvertent mistake is to catch the problem early, which can enhance the impact of any resulting mitigating act. While inadvertent mistakes are arguably a part of human nature, preparing individuals with comprehensive, consistent and ongoing education and training may reduce the risk. When individuals are aware of an issue and know how to address it, the likelihood of occurrence can be reduced, as well as building in a natural response.
The second major source of insider breaches, malicious intent, is harder to control because, as the name implies, the individual has some bad intent that will motivate attempts to get around defenses. When malicious intent is present, the individual is clearly trying to profit individually or through organized efforts. Awareness of the growing number of malicious intent incidents is the first step in combatting and stopping or preventing them.
Until a couple of years ago, stories that individuals were stealing medical information to sell for profit or otherwise taking advantage of trusted information were rare. Unfortunately, that is no longer the case. Multiple times per year, a story of a criminal prosecution or other outcome are reported. Further, malicious intent breaches can often take the form of a “small” breach in which only one or a few individuals have their information accessed. Many times, such breaches are done because the individuals know each other, or some personal relationship influences a decision.
Even though the malicious intent is designed to elude preventive efforts, tools and methods do exist to help address them. For instance, organizations would be well advised to regularly monitor and audit medical record access. Such efforts are arguably easier for electronic medical records because a log file is often present, and some portions of the review process can be automated. However, it is unclear how consistently organizations do this. Ensuring access is appropriate is a baseline requirement under HIPAA, so organizational compliance with audit reviews isn’t asking for anything unusual.
Hacking, the other major reason for an increased number of data breaches, is harder to address. Suffering a hacking attack is largely beyond a single organization’s control. It is a sad but true reality that hackers and other outsiders with bad intent are likely more sophisticated technologically.
While the disparity may exist, organizations should not resign themselves to being hacked. Intrusion can be made more difficult by implementing countermeasures, regularly updating and being proactive. Further, no organization should believe that it is too small to be attacked. Practices of all sizes, whether single practitioners to multi-state systems, have been attacked and will continue to be attacked.
Despite the increasing frequency of attacks and reports, it is a time for optimism. More sources are quantifying, examining and breaking down the breaches. As such, there is an explosion of understanding about how healthcare information is being used and how it is vulnerable. As more analyses are conducted and distributed, all will benefit. The ability to collectively learn from each incident is one of the reasons for optimism about the future.
In the future, I believe that healthcare as an industry and organizations care about protecting healthcare information. No one is satisfied with a reality where more than one breach per day is occurring. Such consistent failings of trust are not acceptable, especially when that reality can be influenced through easily controlled actions.
It is easy to complain and highlight the issues without applauding the everyday work that is improving the situation. It is important not to forget the progress that has been made and the efforts that are ongoing. It is impossible to expect that all breaches will be stopped, but we should at least bring the number down and that groundwork exists.