HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breaches Cost Healthcare Industry $5.6 Billion a Year

A recent report from the Ponemon Institute has highlighted the seriousness of the threat from cyber attacks and should serve as a warning to healthcare providers that they must improve data security.

The cost to the industry is considerable. Data breaches are estimated to cost the healthcare industry $5.6 billion a year, and that money could be put to much better use improving healthcare facilities and conducting research.

While the report indicates there has been a small reduction in the number of data breaches reported last year, the volume of patient records compromised is considerable and the number of cyber attacks on healthcare providers – and other covered entities – has grown at a tremendous rate with the number of hacking related incidents having increased 100% since 2010.

While targeted hacks on Insurers and healthcare providers is clearly on the increase, many data breaches are caused by ignorance of data security rules and simple carelessness by physicians and hospital staff. It may not be possible to prevent data breaches from occurring in all cases – hackers are using increasingly sophisticated methods to gain access to healthcare data – but the volume of data breaches can be reduced and the number of individuals affected can be minimized by adopting basic security measures and tackling sloppy working practices.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

According to Larry Ponemon, founder and chairman of the Ponemon Institute, “The people in the healthcare industry are good people who sometimes do stupid things, and that is the source of a lot of the problems,” he went on to say “they’re trying to get their work done, they feel under pressure, they’re in the business of caring for patients, and they don’t want to waste time to do more security or take that extra step to protect privacy.”

The Problem will Only Get Worse

The growth in the use of mobile devices in the healthcare industry makes privacy breaches much more likely to occur in the future. Android and iOS phones allow information to be instantly sent to work colleagues and while this can improve the care given to patients; their privacy is being put at risk. Many of the devices being used to communicate PHI are insecure and do not employ data encryption. Hackers may not be interested in individual records sent via unsecured text messages when there are millions of records to be obtained from insurance companies and healthcare providers, although the devices still represent a major risk.

Healthcare data is also now being shared more frequently since the move to electronic health records. Covered entities employ business associates to conduct essential functions, such as website maintenance, providing cloud storage and developing software, and many of these companies and individuals are given access to PHI.

According to a recent CNBC report, on average between 6-10 different companies are provided with access to healthcare data or PHI by healthcare providers, and a single trip to hospital could see a patient’s healthcare data, personal details and Social Security number share with many different individuals. According to CNBC, “This could include the medical center, an ambulance company, outside labs, doctors who don’t bill through the hospital, health insurance, and if you don’t pay on time, a debt collector”. With so many different companies having access to healthcare data, the probability of a breach occurring is greatly increased.

The Affordable Care Act has Made the Problem Worse

According to the report, the Affordable Care Act has made the situation much worse. In October last year, millions of patients joined the healthcare system, yet due to the rush to beat the October deadline, data security standards were poor. Rick Kam, founder and president of ID Experts – which sponsored the Ponemon study – said “A lot of energy and resources were spent on just making sure the exchanges operated. Unfortunately, not enough effort has been spent to make sure they were secure.”

The Ponemon survey involved interviews with senior- level security personnel of healthcare providers, 70% of which believed the Affordable Care Act has increased – or significantly increased – the risk of data theft because inadequate security measures have been implemented to protect data. The ACA is believed to have increased the opportunity for thieves to access healthcare data, and according to the executive Director of World Privacy Forum, Pam Dixon – who was involved in the study – the Affordable Care Act was like ” adding jet fuel” to the medical identity theft problem.

Key Findings of the 2014 Ponemon Medical Identity Theft Survey

The number of hacking incidents is clearly on the increase, although the major concern of security officers is employee negligence, with 75% of the survey’s respondents citing this as a major concern. In particular the growth in the use of mobile devices in healthcare is a worry as too little is being done to secure those devices.

BYOD schemes have proved popular with 88% of healthcare providers allowing medical professionals to use their own laptops, Smartphones and other portable storage devices in the workplace. However, according to the survey, more than half of the respondents did not believe the devices to be secure.

This is backed up Ponemon data that suggests as many as 38% of healthcare providers have not taken the necessary steps to secure these personal devices, even though they are being used to communicate PHI. Even popular file sharing programs are apparently being used by some medical professionals to share some data, which not only raises the risk of unauthorized disclosure of PHI, it virtually guarantees it.

Ponemon Institute told CNBC reporters that given the volume of devices in use and the lack of controls to protect the data stored and sent, “You could be oozing a lot of information and never know you had a data breach.”

Patients Urged to Check EOB Statements

Since so many individuals potentially have access to PHI and the security measures used to keep the information private can be substandard, the probability of an individual being affected by medical fraud is surprisingly high. Patients may be at the mercy of their healthcare providers and insurance companies, but that does not mean they are powerless to do anything about medical data theft.

There is one very important step which can be taken to ensure that patients do not have to foot the bill of someone else’s healthcare. Explanation of Benefits Statements must be checked to monitor for medical fraud.

The information detailed in these statements allows individuals to check whether any third party is claiming benefits, or has undergone medical procedures or obtained prescriptions using their personal information and ID numbers.

If any entry does not appear to be correct, contains the name of a doctor or healthcare provider who has not been visited, this information MUST be queried. Patients may not be required to cover the cost of these bogus claims initially, but ultimately they may have to foot the bill eventually. It therefore is vital that these statements are checked before thousands of dollars of prescriptions and medical services are fraudulently obtained.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.