Source: Brookings Institution
A new Brookings Institution study finds that healthcare data breaches are increasing, despite growing public awareness, increased security assurances and rising government fines.
The study revealed that 23 percent of all data breaches occur in healthcare and have impacted 155 million Americans in almost 1,500 breaches in the past six years. The total number of breach victims tripled in the last two years alone. The per-record cost for healthcare data breaches is $363, the highest of any industry.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
The 28-page study was authored by Niam Yaraghi, a fellow with Brookings’ Center for Technology Innovation. Yaraghi examined recent healthcare data breaches and sought to explore the underlying factors leading to them and ways to prevent future incursions. He interviewed 22 IT leaders within healthcare provider and insurance companies.
He said that healthcare data is more valuable than many other forms of personal identification because information such as birth dates, Social Security and insurance ID numbers don’t change and criminals can charge premium prices on the black market.
According to the study, digitized personal health data increasingly is shared with insurers and other providers, contributing to the likelihood of breaches. Yaraghi said that federal health agencies encouraged the proliferation of electronic health records before providers and payers had adequate security measures in place, and he believes that healthcare organizations still have not invested sufficiently in cybersecurity.
“In the financial industry, for example, the value of cybersecurity specialists is better understood,” he said, while noting optimistically, that recent ransomware attacks have served as “wake-up calls” for many healthcare organizations.
“They’ve learned that they can no longer operate the way they did. Security is becoming a much more integral part of their healthcare system. They need to treat cyber security with the same priority as other departments,” Yaraghi said.
He said it’s unrealistic to expect small community hospitals to muster the resources to combat well-funded and determined criminal organizations intent on breaching their data, particularly when large national banks, retail chains and even the federal government have been hacked.
“That should not prevent hospitals from keeping their systems updated and avoiding the kinds of human errors responsible for most data breaches,” Yaraghi said. He pointed out that healthcare organizations can adopt better practices and policies to prevent lost laptops, misplaced hard drives and employees clicking on suspicious files hiding malware and spyware.”
He recommended healthcare organizations prioritize patient privacy and protect it. At the very least, healthcare firms should share information about data breaches and exchange best practices and lessons learned.
“Right now that information sharing about security and privacy practices is not widely shared,” he said.
Yaraghi further advised healthcare organizations to invest in cyber insurance, though he conceded the market for such products is not yet mature.
Yaraghi said that the HHS Office for Civil Rights, which is charged with investigating healthcare data breaches, should better disseminate information about its audits and investigations. He said government penalties imposed for healthcare data breaches have been inadequate.
“There should be less emphasis on punishment and more on prevention,” he said.
