Thursday, March 07, 2013
Healthcare data breaches often originate outside the medical organization
Data breaches are a serious problem for virtually every organization, regardless of industry. These incidents can have a disastrous impact on a firm, leading to a loss of credibility, exposed intellectual property and the imposition of fines and other sanctions.
While these effects can be devastating for organizations of all kinds, they are particularly damaging when it comes to the healthcare industry. More than companies in just about any other industry, healthcare firms possess and are responsible for the protection of a tremendous amount of extremely sensitive client data. If patient medical and financial records are exposed, those individuals will be at serious risk of becoming victims of identity theft and fraud, not to mention the personal violation inherent in the exposure of private medical information.
With all of this in mind, most healthcare organizations take great precautions to protect their data. However, despite such efforts, data breaches are still an unfortunately frequent occurrence in the industry.
According to a recent study, though, these incidents may be more due to third-party partners than healthcare institutions themselves, suggesting that these organizations need to both implement secure file transfer solutions and ensure their partners have done so, as well.
Breaches beyond the walls
The analysis, conducted by information technology security firm Redspin, looked at 538 data breaches reported to the Department of Health and Human Services, American Medical News reported. Of these incidents, 57 percent involved third-party business associates. These incidents impacted an average of fives times more patient records than data breaches occurring at covered entities.
According to Dan Berger, president and CEO of Redspin, the nature of the data breaches involving third parties was similar to those which were striking healthcare providers, the news source reported. However, third-party business associates tend to deal with more concentrated sets of patient data, which makes a given data breach more significant.
Additionally, Berger noted that these business associates are typically less aware of or affected by the Health Insurance Portability and Accountability Act (HIPAA), which includes provisions for the protection of patient data. The result of this disconnect is that healthcare business associates may not be as meticulous when it comes to data protection as healthcare providers themselves.
As American Medical News highlighted, one of the most significant takeaways from this study is that "practices need to be more vigilant in assessing their contractors' ability to handle the data properly."
Hospitals may, for example, decide to work with a third-party firm that can perform big data analytics on the provider's electronic health records (EHRs). To this end, the hospital will likely use a secure file transfer solution which can guarantee the integrity of the data while it is in transit. However, to guarantee the data remains secure, it is imperative for hospitals to only work with firms that are similarly committed to data protection and willing to utilize similar tools to achieve this end.