Health data breaches usually aren’t accidents anymore

During the past decade, the health care industry has adopted new practices and technology to protect against patient data breaches. But as protection of data becomes more sophisticated, so have the ways in which the data are exposed.

Data security firm ID Experts examined some of the biggest breach cases from the past decade and talked with data security experts to understand how the trends have changed during the past 10 years. The report identifies future threats to data security and gives advice on how organizations can respond to those threats.

One of the biggest changes during the past decade is the data being targeted. Ten years ago, it was personal identifiable information. Now, said Rick Kam, president and co-founder of ID Experts in Portland, Ore., personal health information is being targeted, mainly because of the value it holds and the relative ease thieves have getting their hands on it.

In 2003, 5 million people were victims of identity theft. In 2012, that number jumped to 12.5 million. This is due, in part, to the fact that a decade ago, most breaches were caused by human error (lost devices, records being exposed in insecure ways).

Now breaches have become more targeted and sophisticated with a large and growing number of breaches being caused by hacking and cyber criminals. “These criminals essentially are finding ways into those systems to go after very specific pieces of data, and using that data to create bigger frauds,” Kam said.

Vulnerability of medical records

Kam said every study he has seen indicates that medical records hold an average black market value of $50 per record. He also cited other surveys that said 94% of health care organizations have had at least one breach in the previous two years. Because data can now reside in multiple locations, including unsecured smartphones, laptops and tablets, and can be transported to an infinite number of locations, thieves, whether they be outside hackers, device stealers or people who try to use staff to share sensitive information, have more areas to target.

“The proliferation of mobile devices presents a whole new threat,” said James Christiansen, chief information risk officer of the risk management firm RiskyData of Orange County, Calif., in the ID Experts report. “They are woven into the fabric of the enterprise computing environment, but we don’t have the needed controls at the enterprise level yet.”

The ID Experts report was released around the same time as publication of a breach report by California Attorney General Kamala Harris. That report found that of the 131 data breaches reported to her office in 2012, 55% were intentional intrusions by outsiders or by unauthorized insiders. The other 45% were mostly the result of failures to adopt or carry out appropriate security measures. The retail industry reported the most breaches at 26%, followed by financial and insurance at 23%. The health care industry had the third most-reported incidents at 15%.

Most of the experts who participated in the ID Expert report agreed that the problem of data breaches will get worse before it gets better. Not only will the breaches be more frequent but also more severe, they said. Kam said another new potential source of breaches are the statewide health information exchanges that were funded under the Health Information Technology for Economic and Clinical Health Act, because many are short on cash and might not have the means to protect their data from all targets.

What organizations can do

There’s more awareness of data risk than there was a decade ago thanks to the Health Insurance Portability and Accountability Act, the HITECH Act, the Red Flags Rule and state data breach notification laws that require disclosure and corrective action by health care organizations. But many organizations are relying too much on technology to protect their data rather than focusing on how they can use the technology correctly and training employees to be better stewards of the data, said John Sileo, CEO of the Sileo Group, a data security consulting firm in Denver.

Kam said an area that needs more attention is training business associates, who will, starting in September, be subject to the same Office for Civil Rights enforcement penalties that HIPAA-covered entities have been subject to. He said there are about 500,000 covered entities and 3 million business associates. A business associate is any outside group, such as an insurer or vendor, that has a relationship with a physician practice or other health organization.

Ongoing analysis of data breaches has revealed that thieves often sit on stolen data for an extended period of time, said Robin Slade, CEO of The Foundation for Payments Fraud Abatement & Activism, a nonprofit in Texas that studies fraud and educates the public on the risks and methods for breach prevention. Slade said organizations need to develop incident response plans that include long-term diligence and monitoring.

Slade is serving as the development coordinator for the Medical ID Fraud Alliance, a collaboration Kam is also working on that will bring together multiple stakeholders, including the Federal Trade Commission, the Secret Service and the Veterans Administration, to help develop best practices to protect against breaches and medical identity theft. Kam compared MIFA to the Financial Services Roundtable, created by the banking industry to address the needs, concerns and threats to the nation’s financial services industry.

MIFA is expected to formally launch in fall 2013, and one of its first goals will be to create educational materials for consumers to bring more awareness to medical breach threats.