Cybersecurity is a hot topic in the healthcare arena, with high-profile breaches at Premara Blue Cross and Anthem highlighting the vulnerability of organizations holding high volumes of sensitive information. The U.S. Department of Health and Human Services reported 235 breaches in 2015 involving more than 112 million health records – 100 times more than any other year. And 8 out of 10 of the largest healthcare hacks ever happened last year. To address the issue, the HHS is putting together a Health Care Industry Cybersecurity Task Force as part of the Cybersecurity Information Sharing Act of 2015.
Yet in 2016, the biggest threats to healthcare data security so far are something far simpler: theft, misplaced laptops, and even garbage trucks.
The HHS Office for Civil Rights’ data breach reporting tool shows that the largest incidents this year involved improper disposal of records and devices leading to millions of records potentially falling into the wrong hands.
- The Radiology Regional Center in Florida found paper records on a Fort Myers street that apparently fell off a truck while in transit to the Lee County Solid Waste Division. The records contained the information of 483,063 patients, including names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, medical status, and financial information.
- Premier Healthcare in Bloomington, IN reported in March that a laptop went missing for nearly three months, and while forensic analysis showed the laptop was never powered up during this time, the incident had the potential to expose the information of roughly 205,000 individuals.
- Springfield, OH-based Community Mercy Health Partners found a number of patient records in a dumpster, where a business associate had improperly disposed of them. These records contained PII and PHI for more than 113,000 people.
- The Washington State Health Care Authority reported a potential breach affecting more than 91,000 patients when two employees mishandled information by exchanging it through insecure, improper channels.
- Valley Hope Association in Kansas reported that an employee’s laptop was stolen from their car, with a potential 52,076 individuals affected.
While the organizations involved in the majority of these instances reported that information and/or devices were recovered before any damage could be done, the troubling trend points to the need for comprehensive security training among those working in the healthcare industry.
Organizations have enough on their plates, with sophisticated cyber attacks infiltrating servers and databases, without falling prey to a simple lack of protocol and awareness among their own staff.
To minimize the risk of mishandled files, documents, and devices, organizations may want to consider bringing in security awareness training by a third-party vendor. Regardless of the approach, however, it’s important to have robust security policies in place that covers not only digital threats, but also the management of physical property. This includes:
- Compliance requirements for third-party vendors, including those responsible for destroying records outside of retention schedules.
- Clarification on where employees can bring laptops and other work-maintained devices, policies for securing such devices, and multi-layered security and encryption of data on such devices.
- Comprehensive procedures regarding the transfer of data.
- Prohibitions on employees bringing specific files outside of the office, whether limiting the type of employee allowed to remove work, the type of documents that can leave, or both.
As digital security becomes more and more of a concern among healthcare organizations, companies should remain vigilant about physical assets and less sophisticated means of accessing sensitive data. A full training program for employees and regular updates on policy and procedures can go a long way toward protecting data on all fronts.