A new 28-page report from the Brookings Institute states that while public awareness of and consequences for healthcare data breaches is growing, so is the rate of breaches. The study found that 23% of all data breaches occur in healthcare, and that more than 155 million Americans have been affected by 1,500 breaches over the last 6 years. The per-record cost of a data breach in healthcare is $363, higher than in any other industry, the report found.
The study was authored by Niam Yaraghi, a fellow with Brookings’ Center for Technology Innovation, who interviewed 22 personnel at various healthcare providers, health insurance companies, and related business entities.
The health sector is being targeted by hackers for a number of reasons, Yaraghi writes, including the value of data retained by healthcare organizations such as Social Security numbers and home addresses, which can be sold at premium prices on the black market. Healthcare organizations also store large volumes of data for long periods of time, both factors that increase the risk of a breach. In addition, the increasing interconnectedness of healthcare means that more personnel now have access to patient data than ever before.
Human error is cited as the most common cause of breaches, but several other factors play a role. According to the report, the Health Insurance Portability and Accountability Act’s privacy rule is vaguely worded and outdated, and provides no specific direction about how to protect patient information. Organizations that suffer from a security breach also undergo an audit by the Office for Civil Rights (OCR), a process many say is unduly punitive and discourages health organizations from sharing details about the breach with other hospitals. Many health organizations are also reluctant to circulate their experiences because of the negative publicity associated with breaches.
The full report can be accessed on the Brookings Report website.
Photo credit: © Pictac | Dreamstime.com
“Organizations that suffer from a security breach also undergo an audit by the Office for Civil Rights (OCR), a process many say is unduly punitive and discourages health organizations from sharing details about the breach with other hospitals. Many health organizations are also reluctant to circulate their experiences because of the negative publicity associated with breaches.”
This is EXACTLY the kind of cultural infrastructure that creates incentives not to learn from mistakes. Have the battles fought for decades to enable learning from medical errors that resulted in harm not taught us anything that can be applied to security?
Do a search on the term “safety culture” and poke around. There’s plenty out there. Excerpting a Wikipedia page on the topic includes this:
“From public enquiries it has become evident that a broken Safety Culture is responsible for many of the major Process Safety disasters that have taken place around the world over the past 20 years or so. Typical features related to these disasters are where there had been a culture of:
‘Profit before safety’, where productivity always came before safety, as safety was viewed as a cost, not an investment.
‘Fear’, so that problems remained hidden as they are driven underground by those trying to avoid sanctions or reprimands.
‘Ineffective leadership’, where blinkered leadership and the prevailing corporate culture prevented the recognition of risks and opportunities leading to wrong safety decisions being made at the wrong time, for the wrong reasons.
‘Non-compliance’ to standards, rules and procedures by managers and the workforce.
‘Miscommunication’, where critical safety information had not been relayed to decision-makers and/ or the message had been diluted.
‘Competency failures’, where there were false expectations that direct hires and contractors were highly trained and competent.
Ignoring ‘lessons learned’, where safety critical information was not extracted, shared or enforced.”
Does anyone really believe that the way to address security breaches is via punishment? It doesn’t work for medical errors. It’s not working for opiate addiction. But it will work here?