A data breach in the healthcare industry isn’t just nerve-racking – it’s also expensive and can potentially shut a business down. The bad news is nearly every company will experience a data breach of some magnitude during the life of their company. This guide helps you to identify the type and severity of a data breach.
Across all business sectors in 2014, there were approximately 783 data breaches that resulted in 85 million records being compromised. In the healthcare industry alone, there were 333 breaches and 8.2 million records compromised.
“Now healthcare is a considered a top target,” says James Trainor, the deputy assistant director of the FBI Cyber Division. “The speed of these attacks and the volume with which they’re occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector. Major intrusions into healthcare providers’ computer systems now are happening at the pace of two or three a day.”
What’s more, data breaches are extremely expensive to handle. According to the Ponemon Institute’s study, data breaches in healthcare are the costliest. The average cost of an exposed record is $363 compared to the average of other industries at $154.
No company is safe from this onslaught of data hunters. Even small businesses are subject to hacking attempts. According to findings from the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges Office, it’s estimated that more than half of all businesses have been victims of a cyber-security breach. The findings also show that the percentage may be higher, but not all businesses realize their data has been breached.
There’s a lot of confusion on what constitutes a breach in the healthcare industry. Under HIPAA, it is presumed that an impermissible use or disclosure of protected health information (PHI) is a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI was compromised.
To make that determination, HIPAA mandates that those organizations perform a risk assessment on at least the following four factors:
- Step 1: Assess the Nature and Extent of Involved PHI Involved and Likelihood of Re-identification
- Step 2: Determine the Unauthorized Person Who Used the PHI or to Whom the Disclosure was Made
- Step 3: Establish Whether the PHI was Actually Acquired or Viewed
- Step 4: Evaluate the Extent to Which the Risk to the PHI Has Been Mitigated
Step 1: Assess the Nature and Extent of Involved PHI Involved and Likelihood of Re-identification
When determining the risk of harm to an individual, it’s important to determine what information was exposed and the likelihood of re-identification? Take a closer look at the PHI that was inappropriately disclosed or used. Is it more sensitive in nature? Do they include financial records? What was the level of detail in the record? Assessing this information will help to mandate the urgency in which you deal with the issue. For example, you’ll feel far more pressed to deal with a breach in financial records than you will to deal with a breach in outdated information.
This information is one step that will assist an organization in determine if there is a low risk that the PHI was compromised. However, all four factors must be considered before a determination is made.
Step 2: Determine the Unauthorized Person Who Used the PHI or to Whom the Disclosure was Made
The next step involves tracing the breach back to the source and identifying the perpetrator and/or the person to whom the information was disclosed. This often occurs as a mistake on the part of the employee.
For example, an employee that meant to send an encrypted email file to the acting physician may have mistakenly sent it to a different party or included unauthorized personnel in the email correspondence. If this is the case, it’s fairly simple to trace it back to the source. From there, steps can be taken to reinforce policies to rectify the situation.
Other times the impermissible use or disclosure involves a third party. Determining who received the PHI is an important factor, as it may weigh heavily towards a decision that the data had a low probability of being compromised.
For example, if it was an inadvertent or misfired fax, consider whether or not the recipient was also a covered entity. If that’s the case, they’re obligated to follow the HIPAA rules. Compare that with an incorrect fax to a retail business that does not have to comply with HIPAA. They are under no obligation to protect PHI, and thus may be harder to show that the probability is low that the PHI was not compromised.
Step 3: Establish Whether the PHI was Actually Acquired or Viewed
The best-case scenario is that breached data is never viewed or acquired. This may happen, for example, if it’s a laptop that was stolen or lost is returned, but an unauthorized person never opened it. This is going to be a factor in determining if the PHI was compromised.
At times, a forensic data analysis can determine whether or not the information was accessed, viewed, acquired, altered, transferred, or otherwise compromised. This step, combined with the other three, can help you determine whether a breach actually occurred.
Step 4: Evaluate the Extent to Which the Risk to the PHI Has Been Mitigated
All risks to the PHI should be mitigated in order to reduce legal implications and protect the information. For example, in the above ‘incorrect fax’ to another covered entity and/or retail store, the responsible covered entity could request a letter of attestation that the PHI was destroyed.
This step depends a lot on the third party’s actions following the data breach and their willingness to cooperate with efforts to mend the situation.
After all four steps have been considered and documented, the covered entity or business associate must, in good faith, make the determination whether there was a low probability that the PHI was compromised. If the covered entity or third party cannot make that determination, breach notification is required.
Contact Clearwater Compliance
Understanding how to perform a proper risk assessment can be tricky, particularly if you’re not familiar with the procedure. Clearwater Compliance has successfully helped hundreds of organizations assess and manage their data breaches. For more information about the services we can provide for your specific situation, contact us today!
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.