You are here


Healthcare Data Breaches Are Common, Putting Patient Data At Risk

Posted by Marianna Prodan
Healthcare data breaches put patient data at risk

Healthcare data breaches are increasingly common—that’s one of the stark conclusions from the Ponemon Institute’s sixth annual study on the state of security and privacy in the healthcare industry. Drawing on a detailed survey of healthcare organizations (HCOs) and their business associates (BA), the Ponemon study found that in the previous 24 months:

  •        89% of healthcare organizations had experienced at least one data breach
  •        79% of healthcare providers had experienced two breaches
  •        45% had experienced five or more data breaches

The sources of data breaches varied, but criminal actors, either inside or outside the HCO, played significant roles. When asked about the root cause of data breaches:

  •        50% of healthcare organizations cited criminal attacks
  •        41% cited errors by third parties
  •        39% cited stolen computing devices such laptops
  •        13% cited malicious insiders

Criminals clearly understand the value of stolen medical records for perpetrating medical fraud and other forms of identity theft. Stolen medical records can be used to illicitly obtain prescriptions, medical equipment such as electric wheelchairs, and medical care worth thousands or even tens of thousands of dollars. Experian reports that the average incidence of medical fraud ends up costing the victim over $22,000. It’s not surprising therefore that, on the black market, a stolen medical record sells for 10 times the price of a stolen credit card.

Since medical fraud is so lucrative, HCOs and BAs should expect the attacks on medical files and billing records to continue.

The Importance of Data Security for Business Associates and Other Third Parties

This year’s Ponemon healthcare data survey was the first to include business associates as respondents. Broadening the focus of healthcare data security to include the business associates of healthcare organizations makes sense. In 2009, the Health Information Technology for Economic and Clinical Health Act (more commonly referred to as the HITECH Act), expanded the scope of the HIPAA Data Privacy Rule to cover an HCO’s business associates such as third-party administrators, medical transcriptionists, law firms, CPA firms, and other parties providing services such as data analysis, practice analysis, and billing. Given the nature of their work, these organizations inevitably end up handling protected health information (PHI) like medical records, and unfortunately, their systems can be compromised. As a result, the HITECH Act requires these organizations to meet the same standards for data privacy and data security used by HCOs themselves.

HCOs seem to recognize the risks posed by BAs and other third parties. According to the Ponemon survey, about a third of HCOs believe that BAs are not vetted carefully enough, and about two thirds (61%) of HCOs are now paying more attention to the data security practices of the BAs they work with.

Solving the Problem of Data Breaches in Healthcare

To reduce the frequencies and scope of data breaches, HCOs and their business associates need new data security and data governance solutions that work with their existing IT systems. Specifically, HCOs and BAs need:

  • Comprehensive data security - Data should be secured across the enterprise, regardless of whether it is stored on-premises or in the cloud. How it is accessed (e.g. desktop, laptop, tablet, mobile or wearable) must be considered as well. Ensuring that the data is encrypted in transit, in use and at rest is a great start.
  • Comprehensive Antivirus (AV) protection - Anti-malware screening that stops rootkits and other software tools used by attackers should be in place. On mobile devices, sensitive content should be stored in a “secure container,” a protected area of memory and storage that minimizes the risk of contamination from malware that might reside elsewhere on a device.
  • Support for secure collaboration - Because healthcare is inherently collaborative work, content management solutions that support common collaboration tasks such as task management, threaded discussions, and more should be equipped with security features to ensure healthcare providers can collaborate securely.

The kiteworks Solution for Healthcare Data Security

kiteworks by Accellion is a secure file sharing platform that enables secure access to enterprise content sources to allow HCOs and BAs to share, send, sync and edit files on any type of device, from any content store. 

Designed to reduce the risk of data breaches while supporting compliance and collaboration, the kiteworks platform:

  • Encrypts data in use, in transit, and at rest.
  • Provides controls and monitoring tools for IT administrators to enforce security policies and monitor the distribution of PHI.
  • Integrates with a broad range of ECM platforms and data storage services, including Microsoft SharePoint, EMC Documentum, OpenText, Box, Dropbox, Google Drive, and others. Through this integration, kiteworks enables HCOs and BAs to enforce security policies consistently across all content systems, including public cloud data services.
  • Enables healthcare providers to share content securely with trusted partners outside the HCO. Secure collaboration features include digital watermarking, restricted admin and files and folders expiration, among others.
  • Provides built-in AV scanning to stop malware from infecting mobile devices and their content.
  • Enables “remote wipe” or remote deletion of data on devices once IT administrators know a device is missing or an employee has left the organization.
  • Supports task management and threaded discussions to ensure mobile employees have access not only to content but also the context for content.

To learn how kiteworks is helping leading HCOs such as Kaiser Permanente, Seattle Children’s Hospital and Indiana University Health protect PHI while supporting collaboration, please visit our healthcare page.