Cyber security is an increasingly big concern across all industries, and healthcare is no exception. Over recent years, healthcare data breaches have grown to the point that healthcare is now the number one industry affected by cyber-attacks. While that shouldn’t scare you away from the doctor’s office, there are precautions you should be taking to protect yourself.
What You Need to Know About Healthcare Data Breaches
- Reuters reports that between 2010 and 2017, there were more than 2,000 healthcare data breaches involving 176.4 million patient records. While the smallest breaches reported as few as 500 compromised records, the largest data breach affected nearly 79 million patient records. Read more.
- The Verge also reports that “the healthcare industry increasingly relies on technology that’s connected to the internet: from patient records and lab results to radiology equipment and hospital elevators. That’s good for patient care, because it facilitates data integration, patient engagement, and clinical support. On the other hand, those technologies are often vulnerable to cyber-attacks, which can siphon off patient data, hijack drug infusion devices to mine crypto currency, or shut down an entire hospital until a ransom is paid.” Read more.
- “Your medical records may be more valuable than your credit card number,” IdentityForce states. “Medical records contain more sensitive personal information than a bank account. With names, birth dates, insurance policy numbers, diagnosis codes, and billing information, fraudsters sell the information, create fake identities, file false insurance claims, and purchase medical equipment or drugs.” Read more.
Who Has Access to Your Personal Health Information?
- It’s not just your healthcare provider who has access to your personal health information. “By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers,” the Department of Health and Human Services explains. “However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. … The Privacy Rule allows covered providers and health plans to disclose protected health information to these ‘business associates’” under certain conditions. Read more.
- com: “The general rule [under HIPAA] is that PHI cannot be disclosed without the patient’s authorization. However, certain uses and disclosures of PHI for treatment, payment, and health care operations (TPO) do not require patient authorization if the TPO conditions under HIPAA are met …, many data sharing arrangements can be structured to meet the TPO exception and therefore would not require the patient’s authorization.” Read more.
What Healthcare Organizations are Doing to Protect You — And Where They’re Falling Short
- HealthTech Magazine explains that one study found that “75 percent of healthcare organizations spend 6 percent or less of their IT budgets on cyber security — a smaller share than some other industries, such as banking and finance.” But experts say that’s not acceptable. Read more.
- “The majority of healthcare organizations have had one or more data breaches caused by one of their vendors,” Corporate Compliance Insights points out. “It is the responsibility of the covered entity to vet thoroughly all potential business associates to assess the possible risks of sharing PHI. Reviewing a business associate’s security risk audits and HIPAA policies and procedures is a good way to evaluate a business associate’s HIPAA compliance program.” Read more.
- According to Datica, “Organizations that want to prove compliance with regulations such as HIPAA may choose to become HITRUST Certified. HITRUST certification indicates that an organization meets all requirements for the applicable HITRUST controls at the appropriate implementation level … HITRUST certification is costly, but more organizations are pursuing certification as a growing number of providers and other organizations are requiring their business associates to be certified.” Read more.
How You Can Protect Yourself Against Medical Identity Theft
- “The bulk of medical ID theft happens when the thieves use your information to obtain medical services of some kind,” Experian explains. To catch medical identity theft early, “closely watch your medical records, medical bills/ statements, and any communications or notices you get from benefits providers, health plans, doctors, medical labs and other healthcare providers.” Read more.
- Gov explains that “[HIPAA] gives you the right to see and get a copy of your health record. Most health insurance plans and health care providers — including clinics, hospitals, pharmacies, labs, and nursing homes — must follow this law.” Read more.
- And AARP states that “if you’ve been a victim of medical identity theft, file a complaint with the Federal Trade Commission, online or at 877-438-4338. If the fraud is Medicare-related, report it to the U.S. Department of Health and Human Services’ Office of Inspector General, online or at 800-447-8477.” Read more.
Having your identity stolen is bad enough. But for consumers, medical identity theft is more than a threat to their credit — it’s a threat to their health and well-being. Make sure you’re taking healthcare data privacy seriously and protecting yourself against medical identity theft.
Image via Unsplash