Whatever the reasons, 94 percent of healthcare organizations faced a security breach in the past two years, said Dan Briley, managing director of Summit Security Group, losing on average 2,700 records. You can be HIPPA compliant, Briley said with “plenty of security holes.”
Top causes for the breaches are low tech-- lost or stolen computers, employee and third party snafus.
In fact, some 66 to 90 percent of all breaches start with what Briley calls “hacking the human” by earning trust enough for employees to divulge information they should not share.
LifeWise learned to “be a compromise-ready organization,” said Eric Earling, vice president of LifeWise corporate communications, when a single email was the point of entry for an attack that affected 10 million individuals.
The trend is toward more breaches with a “600 percent increase in hospital intrusions over the last 18 months,” said Kelly Hagan, an attorney with Schwabe, Williamson & Wyatt. People can face long-term consequences when “your record becomes polluted with information that’s not about you.”
Hagen said cyber security creates another layer of tension between healthcare reform, which requires sharing information, and more restrictions on the use of readily available electronic information.
Boards face increasing director accountability. “Tell folks in the C suite they are coming for you” Hagan said as the Department of Justice pursues individuals directly for remedies and punishment of corporate behavior.
A cyber security panel at the State of Reform conference in Portland urged healthcare organizations to do “penetration testing” to simulate a breach and to buy insurance but “don’t view the insurance as the solution,” said Briley; it’s one more tool in the toolbox.
Tom Schauer, principal of CliftonLarsonAllen said information technology managers tend to buy more tools but warns that well-configured products are better than more tools. Electronic medical record application security is “10 years behind banking security.”
Schauer suggested being careful about putting private data in Word, Excel or other documents that tend to live on shared drives. “An attacker might have all the information they need by becoming a low-level employee.”
Jan can be reached at [email protected]