amednews: Small medical practices greatly at risk for data breaches :: Jan. 16, 2012 ... American Medical News
from amednews: Small medical practices greatly at risk for data breaches :: Jan. 16, 2012 ... American Medical News:
Data breach experts are issuing a warning to small practices -- don't be the vulnerable target that data thieves assume you are.
The Top Cyber Security Trends for 2012, as compiled by Kroll's Cyber Security and Information Assurance, reported that small practices are more susceptible to security vulnerabilities because they are "the path of least resistance." Many rely on outdated technology. Basic security protections, such as proper use of encryption, often are overlooked as practices focus on meeting regulatory requirements, such as those related to meaningful use. (See correction)
- Links
- See correction
- See related content
Small practices often lack the technical sophistication to know what tools to put in place to avoid attacks, said Jason Straight, managing director of Kroll's Cyber Security and Information Assurance unit. Or they have the right tools, but the tools are not implemented or monitored correctly, he said. One example is having incorrectly installed data encryption.
Large organizations have become more "hardened," meaning they spend more money to safeguard their data, said Beth Givens, founder and director of the Privacy Rights Clearinghouse, an education and advocacy group that has tracked publicly reported data-breach trends across all industries since 2005. "It only stands to reason [that data thieves] would go after small practices," she said.
Breach experts have long said medical data are among the most valuable because of the depth of the information. To thieves, small organizations are often the easiest source of this data because they lack the sophisticated security measures used by their larger counterparts. Because nearly three-quarters of practices are one- or two-doctor operations, there are simply more of them to target compared with large organizations. The advice given to practices is to take steps to ensure they aren't the victims of a breach.
The costs of a breach
Three of the six most significant data breaches in 2011 occurred at health care organizations, resulting in 11 million patient records being put at risk, according to a year in review report published in December 2011 by the Privacy Rights Clearinghouse.
Givens said medical data are valuable to thieves because of "the triple whammy" -- sensitive medical information, financial data and other identifying data that can be used for identity theft.
3 of the 6 biggest data breaches of 2011 were at health care organizations, putting 11 million patient records at risk.
When a breach occurs, the practices are faced with the cost of notifying all of the affected patients and usually paying for identity theft and credit monitoring for them. The per-patient costs associated with a breach have risen to more than $200 in 2011 for notification and loss of income, according to the Ponemon Institute, a privacy research center based in Traverse City, Mich.
Many breaches also bring to light deficient IT systems that the practice must replace immediately. In addition, the practices could face fines from the Dept. of Health and Human Services.
Although breaches at large medical organizations often get more media attention because of the sheer number of records involved, that shouldn't be an indication that small practice owners are in the clear, experts say.
It's hard to put an exact number on small practice breaches because breaches generally are categorized by industry and not broken down by practice size, Givens said. There's also a good chance many of the breaches in small practices aren't reported because they don't fall under the state or federal reporting requirements. For example, California doesn't require the reporting of paper breaches, and HHS doesn't require the reporting of breaches affecting fewer than 500 people.
A query of the HHS breach database and the Privacy Rights Clearinghouse's database shows dozens of cases involving individual physicians and small medical practices that were victims of cyber attacks in 2011. Cases include the hacking of network servers, office burglaries, inside data thefts, and incidents caused by information technology problems that may have been malicious attacks or errors that resulted in data exposure. Givens said she is sure there are "a lot more breaches than are posted on our website."
Labels: data security, EHR and EMR, healthcare security, Information security, IT Security
