On Breaches: Practices Prepared for Data Intrusions

Think about the word "breach" for a minute. What images come to mind? Perhaps it's of a red flashing air horn siren and a team of government specialists keylogging their computer systems to trace the perp who bypassed their firewall. Maybe it's of a sickly tech geek being led away in handcuffs, having edged his way into someone's system to add a few notches to his "hacking" belt. Whatever the case may be (and no matter how influenced by action/disaster cinema), data breaches aren't to be taken lightly in any circumstances. I know, I know, this isn't new. Perhaps you've even taken a seminar or read it in a policy handbook...but according to various studies performed in recent years data breaches are an increasing occurrence common occurrence in the medical world and many practices aren't making enough precautions to protect themselves in these unfortunate events ... and it's costing them obscene amounts of money.

A report from the Ponemon Institute showed that roughly two thirds of US companies have experienced "cyber-attacks" in the six year period from 2006-2012, a 650% increase in the United States alone. ,According to the study, 90% of all the hospitals in the United States have been victims of a data breach in the past two years. Many experts attribute this figure to the numerous changes that have been made to the way patient information is stored. Certainly, the Health IT industry has grown drastically changed in recent years, and these data breach figures aren't a slight to their efforts. It's just that deep down, attackers can uproot any technology put in place, and end up resulting in a costly breach.

The healthcare industry takes emergencies seriously and proactively plans for various problems it sees down the road. Still, a 2012 National Preparedness Report conducted by the Federal Emergency Agency indicates that most health care providers simply "aren't ready to take on a cyber-security attack." To put these findings in more concrete terms, only 42% of state officials believed that their health organizations were adequately prepared to face a cyber-attack.

Sensing a need for more rigorous patient-data security, the Health Information Technology for Economic and Clinical Health (HITECH) act was signed into law in 2009. Under the HITECH act, health care providers can actually be penalized on the grounds of "willful neglect" if they fail to demonstrate any reasonable and measurable attempts to take proactive care in protecting patient data in the event of a breach ... and these penalties are not chump change. They range from $250,000 in citation fines, and up to $1.5 million for any uncorrected violations. These financial penalties are constructed as incentives to prevent serious data breaches.

Encryption protects patients against identity theft and comes in handy when information is needed quickly and must be made mobile or transferred to emergency personnel. Encryption tools convert any information in a file or document into an unreadable format before being sent. These same tools can then decrypt the information so that only authorized personnel on the receiving end can read it and use it. The HITECH act lays out the requirements for encryption software and maintains that success in implementation depends upon the overall strength of the encryption algorithm and the security of the decryption "key" or process. Good encryption tools must adequately protect the data when it is "moving" (as in, being sent through a network or wireless transmission) or when it is "resting" (in a database, a file system or any other structured storage method).

In order to comply with a stringent HIPAA standard, and to adequately protect patient data, many healthcare providers are turning to verified third party security products and structures. The HHS recommends products that have been certified by the Federal Information Process Standard (FIPS) 140-2 encryption for health care data. This system has already been mandated by the United States Department of Defense for encryption, so it's got credential in place. FIPS 140-2 is a powerful security solution that reduces the risk of exposure without increasing significant costs. According to the FIPS publication, FIPS 140-2 is "applicable to all agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems as defined in section 5131 of the information technology Management Reform Act of 1996, Public Law 104-106." One of the long-running benefits of implementing a fully FIPS-140-compliant system is that it provides healthcare organizations a security level that will remain active and useful for a sustained period of time, even after 2030. This is longer than most cryptographic systems.

Other Options
Practices that use sealed or closed networks and allow no outside access or file moving, might not require encryption tools, but they will still need to thoroughly document their reasoning for not employing encryption in order to avoid fines. Realistically, though, closed networks are a dying breed (can you think of any office that doesn't have Internet access?). With an increasing number of electronic transactions in healthcare, including e-prescription services, patient portals and other methods of electronic communication, most practices are using open systems that necessitate an encryption service for premium protection.

Tech vendors should be able to readily assess whether your practice is secure. Given the public visibility that occurs when a practice endures a breach, there's little reason for an organization to risk the exposure with technology system that don't meet FIPS 140-2 standards for encryption. Without FIPS-140-2 compliance, cryptography functions have been shown to be less than 50% accurate in being implemented correctly. This means essentially that there's a 50% chance that the cryptography system in place can be bypassed by a persistent "hacker." FIPS validation and certification gives healthcare providers a level of confidence in the security of their critical data and reduces the risk of incurring more costs in the event of a breach.

The Cost of a Breach
In 2011, it was estimated that the average cost of a health care data breach amounted to $240 per record. This is about 24% higher, cost-wise, than other types of data breaches in any other business. Imagine how many records are stored electronically and how quickly that kind of a breach will add up. The Health Information Trust Alliance estimates that of the 500 United States Health care breaches from 2009 to 2012, about 21,000,000 records were exposed and added up to $4,000,000 in damages. Many may believe this is a problem only relevant to big hospitals, but they're mistaken. A whopping 60 percent of these breaches occurred within smaller-sized physician groups. Of this fraction of data breaches, 67% occurred as a result of theft or careless loss, 38% occurred by data being intercepted from an unencrypted laptop or portable electronic device and 6% occurred from external hacking.

Here are some of the things any healthcare practice must consider when preparing for a health care data breach.

Legal Fees
It should go without saying that a lawyer is among the first to be contacted when a breach occurs. This is simply because your practice may need specific legal advice on how best to respond to the intrusion, and how best to consult with patients. Additionally, legal professionals can help in the event that counsel is needed for any distraught parties who've been affected. A practice may also need to respond to a Government investigation, which can incur more fees.

Regulatory Costs, Fines and Penalties
Discussed earlier, substantial penalties can be assessed against a practice involved in a data breach. These penalties range from $100 to $50,000 per violation, depending on the type and severity of the breach. In some circumstances, HIPAA's civil and criminal penalties may extend to business associates. While an individual usually can't sue a provider outright, state attorneys can bring action to a provider on behalf of the state's residents. The US department of health and human services (HHS) is now required to conduct periodic audits of all covered entities and business associates. This means that healthcare providers simply must have systems in place to monitor business practices and the relationships with them to assure the safety of all their medical information.

IT Forensic Costs
The practice must determine who has been affected by the particular network or security breach, which patients must be notified of the breach and what specific steps need to be taken to prevent data breaches in the future. This may also involve the fees incurred in trying to track down the origin of the breach, and whether or not an outside IT group is brought in to handle it.

Notification Costs
As stated earlier, affected parties must be notified of a data breach. Depending on the size and severity of the breach, this can either involve contacting patients via postage or by telephone. Mailing by certified mail can cost $2-3 per record, while larger practices may want to enlist the services of a call center when addressing a breach and this can be a large expense.

Credit Monitoring Costs
Individuals who have been affected may be offered credit monitoring. This service comes at the expense of the practice, and if the breach involved social security number and financial information, the cost can increase. Generally, credit monitoring costs hover around the $50-per-person range, and this is paid annually.

Practice Reputation
Finally, a breach can have a severe negative impact on a health care practice's reputation. In these scenarios, practices may consult public relations services to try and mend any damaged patient good will. These services also help to spread public awareness as to the steps that a particular practice has taken to amend and correct a breach and (as has been the pattern) these expenses can be significant.

Not to be all "doom and gloom" but an illustration in Tony Jeffs's How Physicians Can Prepare for Cybersecurity Attacks and Meet HIPAA Requirements discusses some various breaches that have derailed certain practices, like the Kern Medical Center in Bakersfield California which was attacked by a virus which took physicians and nurses offline or an attack on a Chicago hospital which forced their computers into a "botnet" controlled by a hacker, consequences the hospital is still dealing with.

To account for a data breach, practices must diligently plan ahead. This may mean establishing a savings account that can be applied specifically to data breaches, or acquiring some form of cyber liability insurance products currently on the market. Certain insurance policies may extend their coverage to a practice, and may also cover patient class action lawsuits if they come up, along with any claims related to credit card companies and health insurance companies.

While data breaches are not necessarily inevitable, the risk in today's environment is real. Besides securing medical information and records, and protecting patients against identity theft, practices with secure encryption services and a plan of action in the event of a data breach can reduce the likelihood of a breach – and minimize its impact, as well.

Adler, Ericka L. "Prepare Your Practice for Potentially High Data Breach Costs."
Practice Management Help, Tools, News, Resources, Free CME. Physicianspractice.com, 1 May 2013. Web. 14 May 2013.

Jeffs, Tony. "How Physicians Can Prepare for Cybersecurity Attacks and Meet HIPAA Requirements."
Physicians News How Physicians Can Prepare for Cybersecurity Attacks
and Meet HIPAA Requirements Comments. Physiciansnews.com, 16 Apr.
2013. Web. 14 May 2013.


Dylan Chadwick is a graduate of Brigham Young University where he earned a Bachelor of arts in English and a minor in Spanish. Though spending his formative years in Cardiff Wales, he came to adolescence in Elizabethtown Kentucky, and considers it his home. He received the Eagle Scout Award, served a voluntary humanitarian mission to inner-city Los Angeles from 2007 to 2009, and once met Alan Alda on a golf course. He's an avid writer who cut his teeth contributing to student papers and continues writing for various print magazines, blogs and web resources. A ravenous fan of baseball, rock music and Dan Aykroyd-era Saturday Night Live, he plans on one day utilizing these interests in a Masters degree in American Studies and Literature. He also maintains a freelance illustration company on the side.