The trust behind the physician-patient relationship has always remained a cornerstone of patient care. In order for a physician to make proper diagnoses and provide optimal treatment, the patient must feel comfortable providing all pertinent details about his or her condition. The physician’s obligation to keep this information confidential is laid out in the code of medical ethics, underlining the unique nature of this relationship. As care for a single patient has evolved to often include multiple specialists and multiple institutions, the requirement of trust has expanded to the entire system. Due to the foundational relationship between the “consumer” and the “service provider”, the entire healthcare industry is subject to a higher standard of trust than other consumer-facing sectors.
The rise of technology in healthcare delivery
The complexity of data and communications now required by the practice of medicine has had an additional consequence—the implicit requirement for technology to enable improved patient care. While healthcare has attempted to catch up to other sectors with its adoption of technology, it has also opened itself up to the same information security concerns as evidenced by major, intrusive data breaches. As required by the HITECH Act in 2009, the government posts a list of healthcare breaches affecting 500 or more individuals. At the end of 2014, this list included over 1100 breaches affecting roughly 41 million individuals. Last month’s Anthem case (thought to affect up to 80 million patients) and this week’s Premera Blue Cross breach (affecting another 11 million patients), could potentially be twice as damaging as all previously reported breaches combined! If there was ever a doubt, data held by healthcare institutions is being targeted just as much as data held by their retail and financial counterparts. While technological advances continue to push the ability of healthcare, the industry must take proactive steps to safeguard the underlying data and the patients they represent.
Learn from the mistakes of others
While the healthcare industry is being hit just as hard as other sectors, it does have a “follower advantage” of sorts. It should be able to learn from past incidents involving companies such as Home Depot, Target and JP Morgan. While the retail and financial industries engage in a tug-of-war on potential data breach legislation, the healthcare industry should take the opportunity to step up its requirements to safeguard patient data. For example, the Office of Civil Rights (OCR), the organization charged with the enforcement of HIPAA, is currently in a gray area in regards to data encryption. While HIPAA does not actually require the use of encryption, it states that encryption should be implemented if a risk assessment determines that it is a reasonable and appropriate safeguard. Even if security requirements don’t officially change in the near term, it will serve individual organizations well to be proactive. According to the HITECH Act, if a device is lost or stolen, the loss is actually not reportable as a HIPAA data breach if the data is encrypted. In 2012, a lost USB drive cost the Alaska State Health Department $1.7 million. In 2014, stolen laptops cost Concentra Health Services and QCA Health Plan of Arkansas a total of nearly $2 million. Had encryption been in place in either situation, not only would the fines been avoided, but the losses wouldn’t have even been reported! A calculator isn’t necessary to verify the positive ROI of encryption costs.
Don’t be the next healthcare company in the news for a security breach
With cybersecurity concerns growing across all industries, the issue of patient data security is also escalating. It is becoming clear that the rules and regulations of the healthcare industry are increasingly being subverted by cybercriminals and the trust which has been critical to patient care is being tested more than ever. Healthcare organizations have two options in the meantime—either wait to see what happens and gamble that larger breaches don’t occur or be proactive. Although too late for some, your organization should invest in protection NOW.