In the last six years, 155 million Americans' health data was compromised and healthcare became the single most breached industry, according to a recent Brookings Institute report, by Niam Yaraghi. Healthcare data is particularly attractive because it includes information that isn't easily changed (e.g., Social Security numbers, dates of birth, and home addresses) which is therefore more valuable to identity thieves than other types of data. For instance, contrast this with a retail store breach: the credit card numbers targeted are easily changed afterward. While the cost of a data breach is estimated at $363 per patient, most breaches involve thousands of records. Thus, the breach of even a thousand records can cost of several hundred thousand dollars. In addition to the financial hit, there may be long-term damage to your reputation, loss of revenue if patients leave your practice, and fines for HIPAA violations.
Why do breaches occur? The "Verizon 2016 Data Breach Investigations Report" and its sub-report focusing on healthcare provide surprising data. Nearly three quarters (73 percent) of healthcare data breaches are due to just three factors: 32 percent are attributable to theft and loss — more than twice the proportion (15 percent) of other industries; 23 percent is from privilege misuse; and 18 percent is from "miscellaneous errors."
The silver lining of these statistics is that many data breaches can be avoided. It's likely you're already doing some of these things. The 2016 Physicians Practice Technology Survey indicates that physicians are beginning to pay more attention to data security — 29 percent of respondents said they have instituted a personal mobile device policy (BYOD) at their practices. Here are three categories of data security that your practice needs to consider. This isn't everything you need to do, but think of it as low-hanging fruit for data breach prevention.
1. "Data loss and theft" just boils down to securing physical devices and data.
• Train staff to handle mobile devices and data storage devices like backup tapes and USB flash drives to avoid theft. A laptop left on a car seat or backup tapes left in the car overnight are still among the most common causes of breaches.
• Enforce clear policies for mobile devices, including personal cellphones, tablets, and laptops. If staff access work data, they must have basic security measures in place, such as a password or PIN and automatic screen locking.
• Apple, Google, and Microsoft offer free tools for basic device management. If a doctor loses their iPad or Android phone, these tools let you locate or remotely wipe the data from the device.