Lindy Benton, Thursday, April 02, 2015
The headlines are endless and ever-growing: Healthcare data is at risk.
Exposure is happening because a scourge of people worldwide is illegally trying to benefit from the information; because of improper protection of sensitive information; or because of some other sort of breach. However, despite continued efforts to address security loopholes across the sector, simply “taking action” to mitigate damage is not an effective strategy, and it won’t work long term.
Healthcare data also is becoming increasingly targeted. According to an Identity Theft Resource Center report, for example, healthcare accounted for 42.5 percent of major data breaches in 2014, overtaking the business sector for the second straight year. The recent jump in healthcare breaches could be the result of many factors, including tougher reporting requirements on healthcare organizations.
As we know, HIPAA breaches come in a variety of forms and sizes and are more than loss of patient data, records and other forms of identity theft. Breaches can be the result of a lost laptop or mobile device containing patient data, but organizations are becoming increasingly more aware of HIPAA and the ramifications of the regulation.
Aside from any new-found respect providers have for HIPAA, breaches of health information are only going to increase, not recede. The news last August highlighting the fact that hackers stole nearly 5 million medical records from Community Health Systems shows this to be true.
We’ll see more headlines in 2015 that will likely make this breach look inconsequential. This is sad, but likely true as the information contained in these records include valuable information, like Social Security numbers.
According to the Wall Street Journal, Forrester Research recently conducted a survey of more than 2,100 healthcare IT pros and found that only about 60 percent of them said they encrypt devices like laptops, smartphones or tablets. Also according to the research, 39 percent of healthcare security incidents since 2005 have included a lost or stolen device.
For some additional perspective, since federal reporting requirements started, the U.S. Department of Health and Human Services has tracked major breaches (those affecting 500 people or more) and has identified more than 945 incidents affecting patients’ personal information, affecting more than 30 million people.
A majority of these breaches are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access of accounts (1.9 million people), according to The Washington Post. And these numbers do not even include the Community Health Systems numbers.
As breaches continue to occur and sensitive patient data becomes more highly sought after, some organizations are beginning to realize the importance of the cloud and mobile storage solutions to protect their data from breach, while others are maintaining more traditional approaches of keeping their information “safe” onsite.
The move to the cloud is supported by the fact that if health information is stored remotely in a secure and protected manner, there’s no need for the transfer or collection of data on laptops, portal hard drives or other mobile and physical devices. Fear of breach of data stored in the cloud is the exact reason many have not evaluated it as a solution.
The cloud continues generating news about its vulnerability, but healthcare organizations are now identifying HIPAA-compliant secure cloud storage methods that allow them to safely transfer documents from place to place in addition to storing them. For the most part, these solutions require minimal time and training and are easier to maintain and manage than their on-premise counterparts.
While the data stored in the cloud needed to power the organization is off-site, many feel that the data is safe in the event of a catastrophe. The information also is easily exchangeable and retrievable, and records can easily be loaded or attached and sent as required, such as attaching records and documents in the support of payer claim verification and adjudication.
Despite the flexibility and ease of the cloud solutions, an overwhelming question is begged: Is the cloud as secure as dedicated, on-premise infrastructure? According to RackSpace, the cloud is no less secure than on-premise solutions. Cloud solutions are typically created with built-in security controls and features. The number of attacks on each is increasing so there is some equality no matter the solution.
“From 2012 to 2013 vulnerability scanning attacks jumped from 27 percent to 44 percent for cloud-hosted environments, and from 28 percent to 40 percent for on-premise datacenters,” the report noted.
Thus, healthcare organizations moving to the cloud are likely to face similar threat levels as if their data and technology were stored on site, so it would be foolish to proclaim that the cloud is less safe than on-premise solutions or that on-premise solutions are less impenetrable to breach.
Cloud solutions are creating fine information backup options for health organizations, helping them protect their data in the event that their systems crash or their on-premise hardware is destroyed. The cloud also supports the call for organizations to rely on more than one mechanism for data backup for their security efforts — a “dense-of-depth” approach that is becoming a healthcare must as vulnerabilities become more prevalent.
Organizations can’t rely on a single approach to security or solutions to house their data, nor can they expect that they’ll always be in control of their organizational data. Also, just because data is on site doesn’t mean the organization is any less of a HIPAA risk.
This fact won’t bring the headlines to a halt and won’t help protect data in any way, but it may help healthcare leaders realize that there are alternative approaches or solutions to where data can kept and how it is secured and managed.
Healthcare data needs to be secured, using commonsense methods and using some heavy lifting, perhaps even up to the cloud for protection when it’s needed most.