The Brookings Institution’s Center for Technology Innovation recently released a paper by Fellow Niam Yaraghi examining the current state of major healthcare data security across the country. In it, he explores the numerous vulnerabilities that healthcare providers face, and discusses how these organizations can prevent future breaches. Yaraghi’s team collected data from 22 interviews with various healthcare professionals, as well as officials within the Office for Civil Rights (OCR).
Since 2009, approximately 1,500 breach incidents have affected over 155 million individuals through hacking, improper disposal, theft, unauthorized access, loss, or misuse of protected health information (PHI). These numbers have continued to rise since the start of 2016.
Breaches of PHI are particularly damaging because they cannot be reversed or corrected. So while a lost or stolen credit card may be cancelled and reissued, Social Security numbers or dates of birth are identifiers that cannot be modified or rescinded once they’ve been leaked.
The healthcare industry continues to be targeted with growing frequency because of the sheer volume and value of the data that gets collected from patients. The proliferation of digital data storage and the use of electronic health records (EHR) since the widespread adoption of Meaningful Use standards has also increased the amount of data that faces exposure to cyberattacks or data breaches. This recent and massive push towards digitization of healthcare information, in addition to the number of parties that have access to it, makes this system particularly vulnerable to hackers and others looking to steal healthcare information.
To further aggravate the issue, Yaraghi found that many healthcare providers had previously been delaying the adoption of HIPAA compliant IT security measures because it didn’t have much of an effect on revenue until recently. The study suggested that healthcare professionals put off investment in information technology measures against PHI breaches simply because they were not met with enough economic incentive to do so.
In order to augment patient privacy practices, Yaraghi urges prioritization of this issue among healthcare professionals, and better communication between healthcare organizations. By reporting the details of OCR audits, organizations can learn from each other and avoid repeating these mistakes themselves.
