To prevent medical records breach, assess system risk factors

Medical records contain a bevy of private, sensitive information related to a patient's health. Yet healthcare organizations have been "laggard" in heightening security measures for medical information, according to Larry Ponemon, founder of the Ponemon Institute, which studies data protection and information security.

Through years of research, Ponemon said his research team has consistently found that healthcare organizations have a high probability of a medical records breach. Even worse, Ponemon said there is a high likelihood that, if a hospital or medical provider had a medical records breach, they wouldn't know about it. A Ponemon study released in 2016 reported that half of all healthcare organizations had little to no confidence in their ability to detect the full picture of patient data loss or theft. Additionally, the study found that half of all healthcare organizations felt unsure they had sufficient technologies to prevent or detect unauthorized patient data access, or the loss or theft of a patient's records.

"A lot of healthcare providers don't have the right tools to know when a breach occurs," Ponemon said.

In 2017, more than 5.6 million Americans suffered from a medical records breach, where their records were either stolen or exposed, according to data released last year by Protenus and DataBreaches.net. Anthem, one of the largest health insurers in the United States, fell victim to a massive data breach in 2015 and nearly 80 million patient healthcare records were compromised.

According to Ponemon's research statistics, the cost of a data breach goes up "exponentially" the longer it takes for an organization to identify the medical records breach and contain it.

Most hackers are opportunists, and through their methods are able to find healthcare organizations with vulnerabilities. While large healthcare organizations are vulnerable to a medical records breach, smaller operations are just as susceptible, Ponemon said.

To avoid a medical records breach, Ponemon suggested organizations conduct a thorough assessment and prioritization of potential risks. By addressing 10% of the most critical risks initially, Ponemon said organizations "tend to be ahead of the game" and can resolve a lot of potential risk.

Once risk is assessed, an organization needs to build governance and control processes, which can focus on awareness. Then, Ponemon said, organizations can start researching technology and other options that may be available to help prevent a medical records breach.

Should a medical records breach occur within an organization, Ponemon suggested two major steps to take to address the issue.

1. Identify the breach. "You should have a compliance program where you're monitoring to make sure key systems are working and to make sure there aren't huge vulnerabilities, like unpatched software security updates. So, the first step is to identify the vulnerabilities because that's where the bad stuff happens."
2. Communicate. "Once you identify the breach, then it's a public issue. You need to communicate to your patients, the victims of the breach. Do it in a way that's unambiguous, honest. Give them information on how to protect themselves."

   The future of healthcare privacy and security depends on an organization's ability to think proactively to manage the emerging risks, which are very significant.

A medical records breach can hurt the system as a whole, costing the healthcare provider its reputation and the patient potentially thousands of dollars. Yet Ponemon said there is even more at stake than records when it comes to breaches within a healthcare organization.

Ponemon said one of the greatest areas of emerging risk is IoT. As technologies such as MRIs, CAT scans and pacemakers become more embedded in IoT, Ponemon said there is potential for hackers to target those types of technologies.

"There are issues that mean it may be more important than ever to maintain a high level of security," Ponemon said. "The future of healthcare privacy and security depends on an organization's ability to think proactively to manage the emerging risks, which are very significant."