In the healthcare industry today, it seems that experiencing a data breach is no longer a matter of "if" but "when" for hospitals and health systems. According to the U.S. Government Accountability Office, there were 13,017 data breach incidents in 2010. In 2011, that amount rose to 15,560 — an increase of 19 percent. While those statistics include data breaches for industries outside of healthcare, one can simply look at recent headlines in the news to see that data breaches are increasingly occurring.
According to Christine Marciano, president of Cyber Data Risk Managers, in planning for a data breach or cyber attack, leaders should ask themselves the following key questions:
• If a data breach were to occur, is there an incident response plan ready?
• Who will the hospital contact for assistance?
• Do you know what your business associates and/or vendors are doing to protect their systems and their data?
• When was the last time you asked to view those policies?
• Are physicians, nurses and clinical staff carrying data on unencrypted USB drives?
These five questions can give hospitals a launching pad for discussion and/or action to prepare themselves for data breaches. In addition, Ms. Marciano and John Tate of Systematic Development, a developer and distributor of secure hardware, recommend the following seven methods for minimizing data breach costs.
1. Ensure policies and procedures cover data protection and breach management. If a hospital's privacy and security policies and/or procedures are not comprehensive, there could be problems when a data breach occurs. It is too late to amend issues once a data breach occurs. Fixing the issues will only help in the future. Ms. Marciano recommends the following questions to determine if policies and procedures are extensive enough.
• Does your organization have a written, corporate-wide privacy policy?
• Does your organization have an enterprise risk board or a designated chief privacy or security officer?
• Does your organization have a disaster recovery plan?
• Does your organization encrypt data stored on laptop computers and portable media?
2. Update all software and hardware regularly. Hospitals should enforce a software update process including installation of software patches. "When exploring a data breach policy, it is important to know if you organization includes installations of software patches and if within 30 days of their release," says Ms. Marciano. A software patch is a set of changes made to software systems. Patches often include new features and fix bugs or add documentation. For data security, updating patches could help block cyber attacks and protect firewalls.
3. Encrypt data. Although it may seem obvious, the best way to reduce data breach costs is by encrypting data. "When patient data is lost, if the hard drive or computer was encrypted, the loss is not as much of a liability to the patient or the hospital. The majority of data breaches that have been reported since 2011 would not have occurred or at least been reported, if the data had been encrypted," says Mr. Tate. There are two main ways data can be encrypted.
Software encryption
According to Mr. Tate, one of the main ways to encrypt data is to run software on a network which encrypts data as it is stored and decrypts it when an employee needs access.
Hardware encryption
Hardware encryption is just as it sounds. Instead of using software, the hardware itself or the drive has internal encryption. "Hardware encryption occurs automatically when you are saving on a desktop, laptop or server. The hard drive then decrypts when the data is pulled of the drive," says Mr. Tate.
4. Manage ports. Another way to reduce data breach risk is to manage the ports that are used to connect to the hospital's network, either wirelessly or physically. "USB ports are a big worry right now. Since it is commonplace for employees to bring their own devices and USB drives to work, there needs to be strict rules on how employees are using physical ports," says Mr. Tate. Network ports need strict rules as well. If the hospital establishes protocols for what data in the hospital network can come off or go onto a device, patient data will be more secure.
Oregon Health & Science University recently suffered a data breach after an unencrypted USB drive storing information for 14,300 patients was stolen from an employee's home. According to Mr. Tate, there are a variety of ways for hospitals to control port access, including requiring employees to use encrypted USB drives:
• Software solutions called port management solutions or endpoint solutions, which offer protection
• Rules to allow only USB drives with encryption to connect to the hospital network
• Rules to prevent executable files from moving off the network to USB drives
5. Train employees. According to Ms. Marciano, hospitals need to be training employees and promoting privacy and security awareness to reduce risks from data breaches. "This will be a key question on an application for data breach policies. Carriers want to make sure you are promoting key security awareness in your organization because that is where many of data breaches come from — stolen laptops and/or unencrypted laptops in physician and employee homes," says Ms. Marciano.
6. Establish a risk assessment program. Ms. Marciano recommends a risk assessment program to test or audit security controls on an annual basis. "Hospitals may want to study best practices for enhancing security controls to tighten access to their network, minimize data leakage and proactively solve issues before an audit," she says. In addition, she recommends the program for hospitals looking to purchase data breach insurance. If a program already exists, it is a good idea for hospitals to summarize the scope of each audit when applying for insurance policies.
7. Know your business associates. Hospitals need to ensure that their business associates and vendors are properly protecting electronic patient health information, especially in today's digital environment. "Having conversation and knowing their data protection policies will go a long way. If you let business associates handle your data, you could feel the effects of a data breach that occurs on their time," says Ms. Marciano. For instance, a computer containing personal information for nearly 10,000 patients at Hartford Hospital and its home healthcare partner, VNA Healthcare, was stolen from a subsidiary of one of Hartford Hospital's vendors. The subsidiary, Greenplum, was performing data analysis on Hartford patient data for a quality improvement project when the laptop was stolen from an employee's home. In order to minimize a risk such as that, Ms. Marciano suggests asking whether the business associate has data breach coverage and how they would respond if a data breach were to occur.
Data breaches can be very damaging to healthcare organizations because they threaten finances, reputations and patient loyalty. Hospitals need to prepare, and these seven methods can help hospitals minimize risks from data breaches.
10 Guidelines for Selecting Data Breach Insurance
3 Considerations for Evaluating Data Breach Insurance Policies
According to Christine Marciano, president of Cyber Data Risk Managers, in planning for a data breach or cyber attack, leaders should ask themselves the following key questions:
• If a data breach were to occur, is there an incident response plan ready?
• Who will the hospital contact for assistance?
• Do you know what your business associates and/or vendors are doing to protect their systems and their data?
• When was the last time you asked to view those policies?
• Are physicians, nurses and clinical staff carrying data on unencrypted USB drives?
These five questions can give hospitals a launching pad for discussion and/or action to prepare themselves for data breaches. In addition, Ms. Marciano and John Tate of Systematic Development, a developer and distributor of secure hardware, recommend the following seven methods for minimizing data breach costs.
1. Ensure policies and procedures cover data protection and breach management. If a hospital's privacy and security policies and/or procedures are not comprehensive, there could be problems when a data breach occurs. It is too late to amend issues once a data breach occurs. Fixing the issues will only help in the future. Ms. Marciano recommends the following questions to determine if policies and procedures are extensive enough.
• Does your organization have a written, corporate-wide privacy policy?
• Does your organization have an enterprise risk board or a designated chief privacy or security officer?
• Does your organization have a disaster recovery plan?
• Does your organization encrypt data stored on laptop computers and portable media?
2. Update all software and hardware regularly. Hospitals should enforce a software update process including installation of software patches. "When exploring a data breach policy, it is important to know if you organization includes installations of software patches and if within 30 days of their release," says Ms. Marciano. A software patch is a set of changes made to software systems. Patches often include new features and fix bugs or add documentation. For data security, updating patches could help block cyber attacks and protect firewalls.
3. Encrypt data. Although it may seem obvious, the best way to reduce data breach costs is by encrypting data. "When patient data is lost, if the hard drive or computer was encrypted, the loss is not as much of a liability to the patient or the hospital. The majority of data breaches that have been reported since 2011 would not have occurred or at least been reported, if the data had been encrypted," says Mr. Tate. There are two main ways data can be encrypted.
Software encryption
According to Mr. Tate, one of the main ways to encrypt data is to run software on a network which encrypts data as it is stored and decrypts it when an employee needs access.
Hardware encryption
Hardware encryption is just as it sounds. Instead of using software, the hardware itself or the drive has internal encryption. "Hardware encryption occurs automatically when you are saving on a desktop, laptop or server. The hard drive then decrypts when the data is pulled of the drive," says Mr. Tate.
4. Manage ports. Another way to reduce data breach risk is to manage the ports that are used to connect to the hospital's network, either wirelessly or physically. "USB ports are a big worry right now. Since it is commonplace for employees to bring their own devices and USB drives to work, there needs to be strict rules on how employees are using physical ports," says Mr. Tate. Network ports need strict rules as well. If the hospital establishes protocols for what data in the hospital network can come off or go onto a device, patient data will be more secure.
Oregon Health & Science University recently suffered a data breach after an unencrypted USB drive storing information for 14,300 patients was stolen from an employee's home. According to Mr. Tate, there are a variety of ways for hospitals to control port access, including requiring employees to use encrypted USB drives:
• Software solutions called port management solutions or endpoint solutions, which offer protection
• Rules to allow only USB drives with encryption to connect to the hospital network
• Rules to prevent executable files from moving off the network to USB drives
5. Train employees. According to Ms. Marciano, hospitals need to be training employees and promoting privacy and security awareness to reduce risks from data breaches. "This will be a key question on an application for data breach policies. Carriers want to make sure you are promoting key security awareness in your organization because that is where many of data breaches come from — stolen laptops and/or unencrypted laptops in physician and employee homes," says Ms. Marciano.
6. Establish a risk assessment program. Ms. Marciano recommends a risk assessment program to test or audit security controls on an annual basis. "Hospitals may want to study best practices for enhancing security controls to tighten access to their network, minimize data leakage and proactively solve issues before an audit," she says. In addition, she recommends the program for hospitals looking to purchase data breach insurance. If a program already exists, it is a good idea for hospitals to summarize the scope of each audit when applying for insurance policies.
7. Know your business associates. Hospitals need to ensure that their business associates and vendors are properly protecting electronic patient health information, especially in today's digital environment. "Having conversation and knowing their data protection policies will go a long way. If you let business associates handle your data, you could feel the effects of a data breach that occurs on their time," says Ms. Marciano. For instance, a computer containing personal information for nearly 10,000 patients at Hartford Hospital and its home healthcare partner, VNA Healthcare, was stolen from a subsidiary of one of Hartford Hospital's vendors. The subsidiary, Greenplum, was performing data analysis on Hartford patient data for a quality improvement project when the laptop was stolen from an employee's home. In order to minimize a risk such as that, Ms. Marciano suggests asking whether the business associate has data breach coverage and how they would respond if a data breach were to occur.
Data breaches can be very damaging to healthcare organizations because they threaten finances, reputations and patient loyalty. Hospitals need to prepare, and these seven methods can help hospitals minimize risks from data breaches.
More Articles on Data Breaches:
Network Risk Insurance: 4 Points on Protecting Yourself in the Digital Age10 Guidelines for Selecting Data Breach Insurance
3 Considerations for Evaluating Data Breach Insurance Policies