Healthcare data breaches are scary… scarier than you might think. Our healthcare records contain highly sensitive information, including personal health details and private billing data. And yet, despite how closely guarded this information should be, nearly 41,335 pieces of protected health information (PHI) are breached every day.
That’s just about twelve every minute, meaning there have been numerous breaches since you started reading. Furthermore, on average, that means over half a million accounts are breached on a monthly basis. Wyoming has a population of just over 580,000, which equates to nearly the entire population of Wyoming in data being lost every month. Healthcare cannot afford to bleed private medical information. Worse yet? The bleeding is getting worse. And it costs billions.
Over 90% of major healthcare organizations suffered a data breach within the past two years. You can read the details here. That breaks down to $6.2 billion dollars in damages. 11 million patient records were breached in June of 2016 alone, making it the worst month for information security in an already bad year. Even NFL teams have been victims of healthcare data breaches, with thousands of players’ records stolen in April of 2016. It’s not just the big guys either. The organizations that are most to susceptible to a criminal attack, unfortunately, are often the least likely to have the resources needed to address cyber threats and keep their patient data safe. That’s not good.
But why is this happening? The reasons are numerous, but here’s a quick summary.
- Information is not secured: 74% of mobile medical devices are not encrypted. Only 21% of BYOD devices are scanned before connecting to a network.
- Users are uneducated. 47% of healthcare providers are not confident in themselves to keep patient data secured, even though over 91% of them use some sort of cloud-based service.
- Technology moves too fast. By the time standards are adopted by providers, new threats will develop and even newer standards will be required. That’s why, despite record losses in 2015, 2016 looks to be even worse.
Simply put, healthcare data breaches are far too common. So how do organizations address the challenge?
Learn more about HITRUST.
Remind me again… what is HITRUST certification?
HITRUST is a comprehensive and verifiable security framework for healthcare organizations. It was developed by healthcare and IT professionals to address risks associated with information security. HITRUST’s (Health Information Trust Alliance) Common Security Framework (CSF) provides a robust and detailed roadmap and features controls necessary for managing the many healthcare information security compliance requirements outlined by state and federals laws as well as other standards and compliance organizations. While HIPAA requirements provide a framework for healthcare security and privacy, HITRUST goes well beyond that by identifying specific business practices, processes, and systems and ensures they are implemented through a certified third party that actually goes on-site to investigate, interview, assess, and validate evidence of proper implementation and compliance. There is a big difference between an organization that self-assesses their operations and calls themselves HIPAA compliant vs. an organization that has completed a HITRUST self-assessment, provided evidence of implementation of literally hundreds of requirements, and then had each individual requirement investigated and approved by a certified auditor and ultimately HITRUST.
Do I need HITRUST certification?
It’s not a requirement, but if you are trusting third parties or vendors with sensitive information you probably don’t want to take any chances. Trusting a third-party vendor that is HITRUST Certified to protect your sensitive PHI saves your practice the time and cost it takes to obtain the certification. If you are ever in a situation where you have to respond to a data breach incident, be assured, you won’t want to do it again. With the trends in data security, HITRUST will soon become the industry standard for verifying an organization’s ability to effectively handle sensitive information. Below are five reasons why HITRUST is becoming a necessity for healthcare information processing companies.
What are the benefits of HITRUST?
- Prevents data exposures
- Combats against attacks
- Establishes industry-wide reliability
- Promotes transparency
- Builds trust
1. Prevents Data Exposures
When PHI get breached, it’s more than just an invasion of privacy. It costs organizations time, money, and their reputation. Millions of individuals have their personal data compromised each year, resulting in billions of dollars spent on remediation, fines, and penalties
HITRUST ’s robust controls help organizations identify risks and prevent compliance issues.
2. Combats Against Attacks
The leading cause of data breaches is deliberate, malicious attacks from hackers. Check out this list of breaches affecting 500 or more individuals. Look under “Type of Breach”. See a pattern? These aren’t dumb people, and they capitalize on dumb mistakes.
One of the most prominent tools in a hacker’s arsenal is Ransomware, malicious software that blocks access to a computer system or certain elements of a system until a ransom is paid. Just like a typical ransom, even when payment is delivered, a safe return is not guaranteed. Even worse than real-world ransoms? The attacker never has to set foot near the site of the breach. With cybercrime at an all-time high, the use of ransomware by hackers increasing, and networks under constant attack, something must be done. HITRUST takes into account the many reasons for breaches and addresses processes and security measures to reduce exposure and risk.
3. Establishes Industry-Wide Reliability
HIPAA is a great foundation. I am sure all of the organizations that have experienced data breaches were “HIPAA compliant.” HITRUST goes beyond this with a comprehensive security framework that is audited, certified and verifiable.
4. Promotes Transparency
HITRUST CSF (Comprehensive Security Framework) is a standardized approach for healthcare organizations to follow in mitigating information security risks. When an organization tells another, they are HITRUST certified in the healthcare industry, that entity can be assured of the level of information protection being utilized. The CSF makes it easy for an organization to understand and verify another organization’s stance and status as it relates to healthcare information security.
5. Builds Trust
When it comes to HITRUST, all you need to know is in the name. With media reports of security breaches undermining consumer confidence regarding the handling of PHI, organizations need to know they can trust their vendors, patients need to know they can trust healthcare providers, and members need to know they can trust their insurance companies. HITRUST is not only a means for an organization to ensure they are handling information properly but also a way to convey trust to the parties they do business with.
How do I become HITRUST certified?
HITRUST certification is a long, costly, and comprehensive endeavor. While the benefit of HITRUST is to help ensure an organization’s stance on information security, it may not be feasible for some organizations to invest in the certification. Depending on the type of organization, it may make more sense to rather rely on vendors that are HITRUST certified; if you are entrusting sensitive information to a third party how do you really know the information is effectively protected? MailMyStatements is one of the first healthcare and patient billing and payments services to become HITRUST certified and is trusted by healthcare clients nationwide. To learn more about our services please request a demo today.
Hugh Sullivan is the CEO of MailMyStatements, an industry-leading healthcare billing, and payments company. He has over 25 years of experience as a seasoned healthcare executive, was the co-founder of ENS Health — a highly successful national healthcare electronic data interchange company, and has served in various leadership roles within Optum, a UnitedHealth Group company. Considered as an industry thought leader, Hugh is an expert in using health IT to improve healthcare information exchange, which can enhance the quality of care, improve efficiency, and reduce costs.
You can follow Hugh on Twitter @hughdsullivan