Contractors, Hackers and Regulators all Pose Data Breach Risks for Healthcare Providers

Farmington, Connecticut, UNITED STATES

SAN FRANCISCO, Oct. 27, 2014 (GLOBE NEWSWIRE) -- Beazley highlighted an array of perils for healthcare providers in grappling with data breach risk at the American Society for Healthcare Risk Management (ASHRM) annual conference in Anaheim today – perils stemming from data entrusted to contractors, data targeted by hackers, and breaches investigated by regulators.

1. Contractors

Some of the largest data breaches reported to the Department of Health and Human Services have involved contractors – or "business associates" under the Health Information Portability and Accountability Act (HIPAA). Since 2009, all breaches involving 500 or more patient records must be reported to the Secretary of Health and Human Services: to date 26% of these healthcare breaches have involved business associates.

Recognizing this risk, Beazley provides practical information to healthcare providers on the security precautions that should be taken by contractors. "A growing number of healthcare providers are asking us: ''How can we make sure that our vendors have the security environments that they should to maintain our patient data?'" said Katherine Keefe, head of Beazley Breach Response Services, the dedicated business unit established by Beazley to coordinate data breach management for clients.

2.  Hackers

Beazley's recent experience suggests that healthcare providers are under a growing threat from hackers with stolen medical records now attracting a higher street price than credit card information.
"Historically, hacking and malware were not responsible for a large proportion of the data breaches we helped healthcare clients handle," said Ms Keefe. "To date, we've helped healthcare providers manage more than a thousand data breaches successfully, but as recently as 2013 only 13 of the data breaches we handled were attributable to hacking.  That is changing as so far this year we've already helped our clients manage 56 healthcare breaches caused by hackers."
The street value of healthcare records is now estimated to be a multiple of the value of credit card numbers.  The mix of financial and medical information held on healthcare records can be used to create false identities to buy medical equipment or drugs for resale or to make fraudulent insurance claims.  As it commonly take some time for such frauds to be detected, medical records also hold their value for longer than stolen credit cards, which tend to be cancelled rapidly.
3.  Regulators
In the six years since it began data breach enforcement, the Office for Civil Rights (OCR) has collected over $20 million in penalties from 22 health care organizations reporting data breaches, ranging from $50,000 assessed against an Idaho hospice to $4.8M assessed in combination against Columbia University and New York Presbyterian Hospital.  While the OCR has been largely focused on large-sized breaches involving 500 or more records (21 of the 22 organizations reported large breaches to OCR), the hospice settlement was the first involving a smaller breach.  
"We do not expect to see any reduction in the OCR's level of scrutiny," said Ms Keefe, "particularly given that penalties return to OCR's coffers to fund further enforcement actions."  The OCR's budget was held flat between 2013 and 2014, but it has increased by 5% to $41 million for fiscal year 2015 and the headcount is rising from 207 to 218.
At this year's ASHRM conference, Katherine Keefe will be participating in a panel discussion, Health Care Data Breaches: Regulatory Issues on Monday October 27, 2014 at 9am.  Ms Keefe can also be seen discussing data breach risk for healthcare providers on a new video, From Hippocrates to HIPAA: The Changing Face of Healthcare Risk.


Contact Data