Data breaches are a ubiquitous part of life and many are not even considered “newsworthy” unless they involve tens of thousands of consumers. But, for healthcare providers, attacks on ePHI (electronic Protected Health Information) and ePII (electronic Protected Identifying Information) are on the rise. Attacks are taking many forms including ransomware, phishing schemes and more. In healthcare, most breaches of patient information must be reported to the US Department of Health and Human Services (HHS). HIPAA privacy enforcement is under the direction of the HSS’s Office of Civil Rights (OCR). Breaches of security for protected information can result in hefty fines and/or corrective action plans.

Just How High Can Settlements Be?

So far in 2016 the top settlements included:

  • Mississippi Medical Center – $2.75 million for a stolen laptop; and
  • Oregon Health & Science University – $2.7 million for “widespread and diverse problems” with its data protection. The settlement also included a three-year plan of corrective action.

It should be noted that these fines and similar ones in 2015 stemmed from the failure of these organizations to correct known security problems. So, if your organization is aware of violations or the potential of a violation and you don’t act to fix it, count on a substantial settlement or fine if you are audited.

What is a HIPAA Data Breach?

The official language for a data breach, as defined by HHS is available online. But, let’s see the actual meaning in normal everyday language rather than the legal and bureaucratic jargon contained in the official regulation.

A breach is an incident that endangers the security and/or privacy of the health and personal information a health care provider or its business partner has about patients. The three things that determine if a breach occurred and needs to be reported are:

  1. How much protected information was put at risk and can the information be used to identify an individual;
  2. Who the unauthorized person that accessed the information was;
  3. Whether the information was removed or just viewed; and
  4. How the provider and/its partner (if involved) took steps to prevent another similar breach.

If a provider has a breach, not only must HHS be notified, but notifications must be sent to individuals whose health information was part of the breach. In fact, some breaches may also be required to report the issue to the media.

What Types of Data Breaches Are Reportable?

The health care industry is as tempting to cyber criminals as honey is to a bear. In 2014, hacking was the major concern of health care providers. But, in 2015, lost or stolen devices are at the top of the list with other forms such as hacking right behind. Following are the top reasons for data breaches in the health industry in 2015.

Top Reasons for Health and Personal Information Breaches – 2015 Health Care Industry
Type of Incident Percentage of Reportable Incidents
Lost & Stolen Assets 45.4
Misuse of Access Privileges 20.3
Miscellaneous Mistakes 20.1
Other 6.7
Point of Sale (POS) 3.8
Web Applications 1.9
Crimeware 1.4
Cyber Espionage 0.3
Payment Card Skimmers 0.1

Taken together, only three of the top ten incidents account for more than 85% of all health care industry data breaches.

Are Data Breaches Preventable?

Certainly. Following are some of the ways to do this.

  • The best ways to avoid a data breach is to inform your employees of the dangers of opening an email from an unknown source and clicking on any part of the message. Employees also need to be trained that they never should download anything from the Internet that comes from a site that is not known to them.
  • Keep all software current by applying security patches as soon as they are available.
  • Install the most efficient and effective antivirus and anti-malware software available to you and update it daily (some let you set it to update automatically)
  • Keep your OS updated with all patches that affect its operational capabilities.

The Role of a Managed Services Provider (MSP) in Preventing Data Breaches

Many health care providers have begun to migrate to the cloud and are choosing vendors that can provide tightened security after a transition. With an MSP you gain advanced hardware and software solutions that are customized to your needs, but with already strong security features such as firewalls and automatically updated software against malware and viruses.

System updates, especially in small offices where there is no real IT function,

Companies often neglect patching software when it comes in – with an MSP this is a burden that is no longer your organization’s concern.

VITECH is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (800) 536-2156 or send us an email info@vitechpros.com at for more information.

Get The Latest Healthcare Security and Compliance News Sent Directly To Your Inbox

Fill In The Form Below for industry news, information about our services, events, webinars and more.