According to the HIPAA Journal, healthcare data breaches have steadily been rising over the past decade. It’s no surprise—if you’re a dark web criminal, selling electronic health records (often bundled with other financial and identifying information) is a lucrative business. So is holding it for ransom: healthcare providers often find themselves paying hefty ransoms to avoid jeopardizing sensitive patient data as a result of ransomware attacks.
Today, patient healthcare data is most threatened by hacking and IT incidents that grant unauthorized access, or unauthorized disclosure, to patient health records. Meanwhile, 73% of medical organizations say their infrastructure is unprepared to handle such attacks. With healthcare data breaches on the rise, it’s worth asking: could your business be at risk for a major healthcare data breach?
Healthcare Data Breaches Statistics
In the past decade, more than 230 million healthcare records have been exposed due to data breaches in the United States, according to HIPAA.
HIPAA lists 25 instances of data breaches where over one million Americans were exposed—and as many as 78.8 million, in the case of the Anthem Inc. insurance company breach of 2015. The Anthem Inc. breach has been one of the largest healthcare data breaches in history, with hackers accessing the Anthem database to steal customer names, social security numbers, income data, and more.
There have been many types of data breaches in healthcare. In the past year:
- Over half a million patient records were exposed when the laptop of a transportation vendor working with Health Share Oregon was stolen.
- Up to 640,000 patients were impacted by a data breach involving malware at Florida Orthopaedic Institute in July. The Institute faced a class action lawsuit for “failing to follow basic security procedures.”
- Magellan Health suffered a sophisticated phishing scheme impersonating a Magellan Health client. Some 365,000 patients and employees had their data stolen as a result of the breach.
The list of other types of data breaches in healthcare is long—unfortunately, the three incidents above are merely a small sample of the variety and scale of attacks that have targeted the healthcare industry in recent months.
If you work with sensitive healthcare information, or partner with clients who do, it’s in your interest to do all you can to ensure strong data security. Taking the necessary precautions can limit your exposure to healthcare data breaches considerably, so that you don’t find yourself having to inform customers that their data has fallen into the wrong hands—or explain to a judge why you didn’t do more to protect their sensitive personal information.
How Can Data Breaches be Prevented in Healthcare?
Fortunately, there are effective actions healthcare companies large and small can take to better protect sensitive information, and prevent potential healthcare data breaches.
We recommend the following steps:
1. Always securely destroy sensitive healthcare data.
When you no longer need a particular piece of information, take care to securely and completely destroy it, whether by shredding and disposing of paper files or securely wiping your hard drive and electronic files. Never leave sensitive information unsecured or unattended.
2. Train employees on the importance of healthcare data security.
Many breaches are the result of human error. Sometimes that is as innocuous as a file left in the wrong place or a laptop exposed to unnecessary risk of theft. In fact, healthcare data breaches due to internal mistakes happen twice as often as malicious breaches. Be sure to train and re-train employees on current HIPAA and state regulations for patient privacy.
3. Keep patient information separate from public information.
Consider setting up separate wireless networks: one for public use, and another protected network for working with and transmitting sensitive medical information. This way, the healthcare data you transmit over the private network benefits from an extra layer of security.
4. Always keep your network secure and up to date.
Outdated systems can expose you to unnecessary risk, so always keep your network secure and up to date.
5. Evaluate your data security risk on a regular basis.
Conduct a regular risk assessment of your IT systems to be sure they comply with HIPAA rules for storing, using, and sending electronic patient records. An annual HIPAA security evaluation can identify any threats to your systems and expose areas that need improved security. This Security Risk Assessment Tool, created by the Office of the National Coordinator for Health Information Technology (ONC) and HHS Office for Civil Rights (OCR), is a helpful place to begin.
6. Use encryption to secure sensitive healthcare data.
If your patient information is encrypted and the data is then stolen or lost, HIPAA doesn’t consider it to be a breach. It’s recommended, then, that you encrypt all sensitive patient data—whether it’s stored on your systems and servers or being sent across the network.
7. Ensure that your vendors also follow good security practices to protect sensitive data.
While your own business may be careful in handling healthcare data, you likely also work with a variety of vendors who may have different data security practices. Be sure that any outside businesses you work with respect federal and state privacy laws, and take serious steps to protect any data you share with them. PaySimple, for example, uses the most powerful security tools available to ensure that all our customers’ sensitive information is encrypted and secured.
8. Use secure payment processing.
Any payment processing providers you work with should use strong encryption and security practices to keep your client data safe. PaySimple takes security seriously, which is why we encrypt all sensitive information, use a 256-bit DigiCert certificate, and process payments by SSL (Secured Socket Layer). We also use intelligent intrusion detection through TrustWave’s TrustedSentry, for an added layer of defense against any malicious network activity.
Protect sensitive client information at every point. PaySimple can help.
Whether it’s encrypting sensitive health records or providing secure payment processing, being serious about data security benefits both your healthcare business and your clients. Don’t wonder whether your payment processing software is doing enough to protect sensitive client information: PaySimple’s secure payment systems keep data safe at every step.