Leonardo M. Tamburello, Esq. of McElroy, Deutsch, Mulvaney & Carpenter, LLP just completed a 3-part series for Inside Counsel on the current state of healthcare data. In the series, Leonardo examines the current state of the healthcare industry and current regulations such as HIPAA, followed by an in-depth examination of the HIPAA Enforcement Rule as an indicator of more aggressive enforcement, and the final instalment on external and internal threats to information, the costs of insecurity, and risk mitigation solutions.
As of October 28, 2014, there have been 1139 data breaches affecting 500 or more individuals as accounted for by the Department of Health and Human Services, Office for Civil Rights (OCR). These breaches have affected 39 million individuals.
As noted by Leonardo, the information contained in a person’s medical records is attractive to identity thieves and can fetch up to $1,000 per record (greater than the 25 cents for a Social Security Number or $1 for a credit card number). Though it is true that we have seen more sophisticated hacking, using malware and other technology, to infiltrate systems for this information, the data indicates that the loss or theft of desktop computers, laptops and other portable electronic devices continues to account for 42% of all data breaches in 2014.
Leonardo indicates that a US data breach involving healthcare carries a higher institutional cost per incident, compared to other industries, with data breaches costing $359 per affected individual (vs an average of $201 per individual). These costs range from breach response, mitigation efforts, breach notification, defense costs, resolution costs and settlements, civil litigation, public outreach and internal efforts at reform.
Earlier this year, Verizon’s 2013 Data Breach Investigations Report indicated that 60% of the large data breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices. As only the most basic means of endpoint security, it is possible to achieve even greater endpoint security.
As noted in Leonardo’s series, healthcare organizations need to make security a priority, perform ongoing risk analysis (with actionable steps taken to assess identified risks) and properly educate employees on an ongoing basis about the importance of data security.
Absolute Software has been providing healthcare organizations with solutions to manage and secure their IT endpoints, and the data they contain, since 1993. To learn more about our solutions can help your healthcare organization mitigate risk, safeguard patient data and comply with healthcare regulations, read here. It is possible to prevent a healthcare security incident from turning into a data breach; we can help.