Healthcare data is more valuable than ever to cybercriminals and identity thieves, according to a recent analysis of breach data.
The Washington Post's Health Reform Watch blog recently reviewed data from a number of sources, which revealed an expanded view of the threat to healthcare data over the past several years.
Author Jason Millman wrote that the federal government's recent mandates for tighter reporting has delivered a trove of fresh statistics on healthcare data breaches.
For example, Identity Theft Resource Center data showed that for the first time, incidents involving the healthcare industry represented the largest percentage (43 percent) of all data breaches in 2013.
The ITRC also expects healthcare data to be the top-targeted data type in 2014, said the blog. Part of the reason the numbers are going up is because the federal government now strictly requires breach reporting, Millman explained.
Even so, the numbers underscore how appealing healthcare data is to cyberattackers, who are motivated to steal patient records because it often contains valuable personal information that can be used to steal identities. Data from the U.S. Department of Health and Human Services indicates as many as 30.1 million U.S. residents have felt the burn of around 944 major medical data breach incidents.
Smaller breaches - those that affected 500 people or fewer per incident - were reported separately but still contribute to a total of $5.6 billion in annual healthcare industry losses related to data breaches, according to Ponemon Institute data.
What does this all mean for IT services providers?
The bottom line is, healthcare data remains valuable, and the threats to patient privacy aren't going away any time soon.
On top of that, the consequences for violations remains high. HHS turned a few heads this spring when it fined the New York Presbyterian Hospital and Columbia University Medical Center a record-setting $4.8 million for a 2010 incident in which 6,800 private patient records were posted online.
What's the best way to avoid these fines?
To start, be sure you're signing business associate agreements with both your SMB end users and your technology vendors. These agreements define your relationships with your healthcare customers and explain in writing how you will report and respond to data breaches or investigations.
It's also important to evaluate your technology solutions to make sure they are compliant with HIPAA. There's no HIPAA badge or certification that you can look for on a vendor's website, but you can ask pointed questions about how well the company encrypts data, protects patient information, and handles security.
Finally, if you're not prepared to guide your healthcare clients' overall compliance efforts, put them in touch with someone who can. Technically you are only responsible for ensuring your clients' IT is compliant, not the rest of their business. But it doesn't hurt to establish a relationship with a trusted healthcare business consultant who can help them further.