Target. Home Depot. Adobe. Sony. Athena. You’ve likely read the headlines about the significant data breaches at these big-brand companies and others, which have the potential to impact millions of people. What you likely haven’t heard about are the small data breaches that have a real, destructive impact on individuals.
Although the large breaches affecting millions of people’s data make the headlines, the media exposure doesn’t necessarily correspond to the level of destruction created at the personal level, according to a Wall Street Journal report, particularly in the health care industry. While a lot of data is exposed, very little is exploited.
On the other hand, small breaches almost always inflict the most harm—each one ruining one or more people’s reputation, wellbeing and/or financial stability. And small breaches are rampant in the health care industry.
Consider these examples:
- A hospital worker in Indiana snooped into the medical records of a former friend and posted on Facebook that the person was HPV positive. The message included her full name and date of birth.
- A medical records clerk in California sneaked into the medical records of her husband’s ex-wife. The victim stated that HIPAA did nothing to help her. (What are rules without enforcement?) As a result, her trust in the medical profession has been crushed.
- In Indianapolis, someone stole a boy’s Social Security number and medical identification numbers, and used them to pay for surgery. The boy’s mother received the bills.
Lackluster Breach Enforcement
Despite privacy laws created to protect individuals, victims of small breaches have little recourse in today’s lackluster enforcement environment. In fact, OCR has been criticized by several industry organizations for its poor enforcement of HIPAA regulations.
According to the author of the WSJ article, Stephanie Armour: “Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, it typically settles for pledges to fix any problems and issues reminders of what HIPAA requires. It doesn’t even tell the public which health providers have reported small breaches—or how many.”
Tighten Up Security with Robust Cybersecurity Program
The problem of small-scale data privacy breaches is exacerbated when medical organizations lack a robust information risk management or cybersecurity program. Here are three considerations to help you prevent both large and small personal data breaches:
- Consider employing a more comprehensive and effective cybersecurity framework. The National Institute of Standards and Technology (NIST) cybersecurity framework is one of the most robust sets of guidelines available to help you in creating a more effective and more secure IRM program.
- Make sure you are conducting an effective risk analysis. The majority of health care organizations fail an OCR audit/investigation due to an improper risk analysis. Are you confident in yours? Contact us for a free review of your HIPAA compliance program.
- Strengthen your staff risk management training. Clearwater offers organizations a wide range of educational opportunities, including free webinars, white papers, educational tracks, a HIPAA Compliance and Cybersecurity Program BootCamp™, and an (ISC)²® HCISPP℠ CBK® Training Seminar.
Take action now to improve your organization’s cybersecurity efforts and avoid the devastating impact of legal liabilities and reputational damage to your organization not to mention the damage that a small breach could create for your patients.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.