Insurer Beazley has highlighted an array of perils for healthcare providers in grappling with data breach risk at the American Society for Healthcare Risk Management (ASHRM) annual conference.
Some of the largest data breaches reported to the Department of Health and Human Services have involved contractors – or ‘business associates’ under the Health Information Portability and Accountability Act (HIPAA).
Since 2009, all breaches involving 500 or more patient records must be reported to the Secretary of Health and Human Services. To date 26 percent of these healthcare breaches have involved business associates.
"A growing number of healthcare providers are asking us: ''How can we make sure that our vendors have the security environments that they should to maintain our patient data?'" said Katherine Keefe, head of Beazley Breach Response Services, the dedicated business unit established by Beazley to coordinate data breach management for clients.
Secondly, Beazley said its recent experience suggests that healthcare providers are under a growing threat from hackers with stolen medical records now attracting a higher street price than credit card information.
"Historically, hacking and malware were not responsible for a large proportion of the data breaches we helped healthcare clients handle," said Keefe. "To date, we've helped healthcare providers manage more than a thousand data breaches successfully, but as recently as 2013 only 13 of the data breaches we handled were attributable to hacking. That is changing as so far this year we've already helped our clients manage 56 healthcare breaches caused by hackers."
Thirdly, in the six years since it began data breach enforcement, the Office for Civil Rights (OCR) has collected over $20 million in penalties from 22 health care organizations reporting data breaches, ranging from $50,000 assessed against an Idaho hospice to $4.8 million assessed in combination against Columbia University and New York Presbyterian Hospital.
While the OCR has been largely focused on large-sized breaches involving 500 or more records (21 of the 22 organizations reported large breaches to OCR), the hospice settlement was the first involving a smaller breach.
"We do not expect to see any reduction in the OCR's level of scrutiny," added Keefe, "particularly given that penalties return to OCR's coffers to fund further enforcement actions."
Beazley, ASHRM, Insurance, Risk Management, US, Katherine Keefe