Brookings & Ponemon Studies on Privacy & Security; Meet the Experts

Join me and my guests for a Privacy & Security “Blab”

Friday May 13 at 2 pm ET (details below)

Data privacy and security issues remain top of mind across the health care sector and the entire economy. Two reports — a recent Brookings Institution report, Hackers, Phishers and Disappearing Thumb Drives, and the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute — throw the issues into high relief.

While new threats and risks abound, there is value to delving into the details of past breaches; those who cannot remember the past are doomed to repeat it.

I am looking forward to an upcoming event where we will have the opportunity to examine the findings from these reports and discuss topics of general concern to the community with Larry Ponemon (Chairman and Founder, Ponemon Institute), Rick Kam (President and Co-Founder of ID Experts) and Niam Yaraghi (Fellow, Brookings Institution).

Please join us Friday, May 13, 2016, at 2 p.m. ET, for a “Blab” about privacy, security, data breaches, and thoughts about preventing breaches, ransomware and other exploits. (Blab is a live multi-presenter web video broadcast platform with text/chat features – you can submit questions to the speakers in real time, or send them in advance.)  If you can’t make it Friday, please watch the replay.

At a high level, the Brookings study found that the health care sector is particularly vulnerable to data breaches because:

• Health care data are richer and more valuable for hackers;
• Too many people have access to medical data;
• Medical data are stored in large volumes and for a long time;
• The health care industry embraced information technology too late and too fast; and
• The health care industry did not have strong economic incentives to prevent privacy breaches.

The recommendations offered by Yaraghi are cogent suggestions; some are well on their way to implementation (at least by folks who are ahead of the curve) but many may be unworkable, due to a number of factors involving human nature, financial constraints, Beltway gridlock, and more. Here they are:

• Health care organizations should prioritize patient privacy and use the available resources to protect it
• The Office of Civil Rights (OCR) should better communicate the details of its audits
• Health care organizations should better communicate with each other
• OCR should establish a universal HIPAA certification system
• The health care sector should embrace cyber insurance

Here are a few highlights of the Ponemon report, drawn from the organization’s press release:

• Data breaches in healthcare remain consistently high in terms of volume, frequency, impact, and cost. Healthcare organizations are experiencing a greater volume and frequency of data breaches; suffering multiple data breaches each. Eighty-nine percent of healthcare organizations and 60 percent of BAs experienced data breaches over the past two years. Seventy-nine percent of healthcare organizations experienced multiple data breaches (two or more) in the past two years—up 20 percent since 2010. More than one-third, or 34 percent, of healthcare organizations experienced two to five breaches. Nearly half of healthcare organizations, or 45 percent, had more than five breaches. Medical records are the most commonly exposed data, followed by billing and insurance records, and payment details. While the majority of breaches are small (under 500 records) and are not reported to the U.S. Department of Health and Human Services (HHS) and the media, the financial impact is significant. The total economic impact of data breaches is $6.2 billion to the healthcare industry.
• Newest cyber threat for 2016: ransomware. Criminal attacks are up in 2016 and are, once again, the leading cause of data breach among healthcare organizations, causing half of all data breaches and causing 41 percent of data breaches among BAs. Mistakes cause the other half of data breaches in healthcare. Based on the research, mistakes are classified as third-party snafus, stolen computing devices, and unintentional employee actions.
• Healthcare industry is more vulnerable to data breach than other industries. Healthcare organizations believe they are more vulnerable to data breaches than other industries. Healthcare organizations have massive amounts of valuable data and often lack a strong security infrastructure and sense of accountability. Additionally, there are lots of “data touch” points, including multiple employees and third parties. The findings indicate that employees at healthcare organizations and their BAs are not vigilant in the handling and protection of patient information.
• Patients are suffering the effects of data breaches; increased awareness of medical identity theft cases. The research indicates that more healthcare organizations and BAs are aware of medical identity theft cases that have occurred internally since last year’s study. Thirty-eight percent of healthcare organizations and 26 percent of BAs are aware of medical identity theft cases affecting their own patients and customers.

The bottom line is that those of us with first-hand experience with data breaches have a pretty good idea of what ought to be done. The question before us is how to ensure that the things that should be done are in fact done, and that these practices are institutionalized and expanded to address new threats and exploits.

Please bring your comments and questions — we’re looking forward to a lively discussion.

Remember: Join us Friday on Blab. (You’ll need a free account.) Follow me if you want to be reminded. Or watch it here:

right here:

David Harlow
The Harlow Group LLC
Health Care Law and Consulting