16,571,490 records were compromised in health care data breaches in the United States last year, according to the Department of Health and Human Services’ Office for Civil Rights (OCR).
2016 was the second worst year in terms of the number of exposed records, but only fell behind 2015 because of three massive data breaches – Anthem, Premera, and Excellus – that, between them, accounted for nearly 100 million breached records.
More HIPAA covered entities reported breaches in 2016 than in any year since 2009, when the OCR started publishing records of breaches affecting 500 or more individuals on its ‘wall of shame’.
Why health care data is at risk
Health care providers are particularly popular targets for cyber attacks because of the type and volume of data they hold. According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, data breaches are costing the industry $6.2 billion a year. The study also found that, in the last two years:
- 89% of health care organizations and 60% of their business associates have suffered data breaches.
- 79% of health care organizations experienced multiple (more than two) data breaches – 20% up since 2010.
- 34% of health care organizations experienced two to five data breaches.
- 45% of health care organizations experienced more than five data breaches.
The report observes: “Although there’s been a slight increased investment over last year in technology, privacy and security budgets, and personnel with technical expertise, the majority of healthcare organizations still don’t have sufficient security budget to curtail or minimize data breach incidents.”
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of protected health information (PHI) by covered entities.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
HIPAA covered entities that are concerned about data security would do well to implement an ISMS (information security management system), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 certification is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $500.