Data breaches in the health care industry are at an all-time high, according to the 2016 End of Year Data Breach Report published by the Identity Theft Resource Center (ITRC). There were 376 reported breaches in the sector last year, which accounts for 34.4% of all reported incidents.
The vulnerability of patients in hospitals and medical centers often makes breaches in the health care industry high-profile events. In January, a secretary at a Florida-based teaching hospital was indicted by a grand jury for playing a key role in the theft of more than 24,000 patient records. Evelina Sophia Reid, who had worked at Jackson Health since 2005, was charged with computer fraud, identity theft, and possession of patients’ personal information, including birth dates and Social Security numbers.
That came just days after Jackson Health fired two employees for leaking the medical information of New York Giants star Jason Pierre-Paul to ESPN. Pierre-Paul’s right index finger was amputated at Jackson Memorial after a now-infamous Fourth of July fireworks accident tore off part of his hand.
But, as the ITRC report shows, data breaches in the health care and medical industry are not just the result of isolated attacks, rogue employees, or celebrity visits.
Leading types of data breaches
In 2007, the ITRC began adding categories to identify data breaches by “type of occurrence.” Insider theft, which was once a major source of breaches, made up only a small portion of incidents last year – 77 of 1,093 reported breaches. Despite a 40% rise in the total number of reported breaches since 2015, the number of insider thefts decreased (from 83).
In contrast, hacking, skimming and phishing attacks rose dramatically, accounting for over half (607) of all reported incidents. According to the ITRC, the rise in this activity was led by CEO spear phishing efforts (also known as business email compromise (BEC) schemes), which expose sensitive data, typically information required for state and federal tax filings.
Comply with HIPAA
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Administrative Simplification Rules regulate the use and disclosure of protected health information (PHI) by covered entities.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record – up to an annual maximum of $1.5 million – and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
HIPAA covered entities that are concerned about information security and want to prevent data breaches should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 covers the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement. Companies can often achieve compliance with a host of related legislative frameworks by achieving ISO 27001 registration.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location.