More than 45% of data breaches are reported by the healthcare industry. This year, one of the biggest healthcare data breaches was reported by a Fortune 500 healthcare company, which suffered a ransomware attack and data breach that affected 365,000 patients. In another instance, a healthcare services firm suffered a breach that affected more than 78,000 patients.
In July alone, over 1 million patients were affected by healthcare data breaches.
The effects of a healthcare data breach can be financially devastating. According to IBM's Cost of a Data Breach report, the cost of a data breach in the healthcare sector currently stands at $7.13 million. The global average is $3.86 million. In 2018, over $26 million in HIPAA penalties were issued.
Why is healthcare so at risk?
According to research, the average time to identify and contain a breach in the healthcare industry is 329 days. This can be due to various factors such as the sheer size of the industry, the interconnectedness of partner services, such as pathology labs, pharmacies, therapists, insurance companies and so on, lack of technological standardization across these services, and legacy systems and software that have not been updated in a while.
Another factor to consider is the value of PHI, or protected health information. According to a report by McAfee, the price for medical data on the dark web is considerably higher than that of personally identifiable information and credit card numbers. This is because PHI can be used to create fake insurance claims, purchase medical equipment, or gain access to prescription medication.
Insider threat is also a huge risk, especially in pharmaceutical companies or firms that handle intellectual property.
What you can do to prevent a healthcare data breach
In order to mitigate the risk of data loss, you first need to understand the problem, and in order to do that, you must follow the flow of data in and outside the organization. This is not an easy task in an industry as interconnected as the medical industry. Using sensitive data discovery software can help you find and identify sensitive data in your organization. Once identified, this data can be encrypted or masked to prevent unauthorized usage. Embracing technology to protect patient data has the added advantage of replacing outdated legacy systems that pose a huge threat to data security.
It is always advisable to create an incident response plan that forms part of a risk framework model as outlined by HITRUST. Using a trusted framework allows you to draw on best practice techniques and the experiences of others in the healthcare industry. The HITRUST framework will help you to adhere to requirements of data privacy regulations such as HIPAA and HITECH, which also advocate the use of data protection software.
Hush-Hush data protection products meet the standards of regulations such as HIPAA, HITECH and the GDPR, which all regulate the safeguarding of patient data. Hush-Hush Data Discovery and Masking tools can be used across the healthcare industry, including entities such as health plans, healthcare providers, clearinghouses, billing services, community health information systems, health insurance companies, and medical service providers.