Healthcare organizations leaving themselves open to breaches

Though most healthcare organization understand the risks of a breach, including violating the Health Insurance Portability and Accountability Act, many aren't taking the proper steps to prevent one, according to a recently published Ponemon Institute report.

According to its survey, 94 percent of healthcare organizations have suffered a breach within the last two years. What's more, in the first quarter of 2013, breaches left 875,000 healthcare records exposed, according to American Medical News.

Meanwhile, many physician practices can't envision themselves being the victim of a breach.

"Sometimes organizations need to experience an incident to understand firsthand the impact. We hate to see that happen," Michael Bruemmer, vice president at Experian Data Breach Resolution, told amednews. The Ponemon Institute report was prepared on behalf of Experian.

Thirty-nine percent of companies that had been breached said they still did not have a response plan in place, according to the survey, while just 19 percent said they had tools to determine the nature and cause of a breach.

A similar new report from Verizon analyzes breaches across industries, reiterating the finding that hackers generally are after financial information that can be used in identity theft. While healthcare providers work hard to protect patients' medical information, they might be surprised to learn cyber criminals were after credit card and bank account information instead.

Though HIPAA requires organizations to assess their risk and to have a response plan in place, it doesn't spell out what that plan should look like. For physician offices, the plan should include a mechanism to assess the cause and scope of the breach and to identify and communicate with those affected, according to the amednews article. 

In assessing an organization's risk, "it needs to be more of an ongoing, constant, holistic type of approach where you're looking at your systems from the perspective of someone on the outside," Jared Rhoads, lead author and senior research specialist for CSC's Global Institute for Emerging Healthcare Practices, recently told FierceHealthIT.

To learn more:
- here's the Ponemon Institute report (.pdf)
- read the amednews article
- check out the Verizon analysis (.pdf)

Suggested Articles

Federal regulators have listened to physicians' complaints about health IT burdens and they have some solutions.

NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services.

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.