Brookings Report: HIPAA Hacks Up 1,800 Percent
Feb 19, 2015 | hipaajournal | No comment | Healthcare Data Security
A new report by the Brookings Institution predicts a wave of HIPAA data breaches in 2015, claims that the healthcare industry is particularly vulnerable to attack and that there is a lack of consequences for healthcare providers that violate HIPAA Rules.
The report suggests that if breaches are to be avoided, healthcare providers, health plans, clearing houses and business associates must invest more heavily in IT security and must be further incentivized to make changes to improve privacy and security standards.
The Brookings Institution was founded in 1916 following the formation of the Institute for Government Research (IGR), and was the first organization devoted to analyzing public policy issues at the national level. The organization has produced numerous influential proposals for Congress, homeland security and a number of intelligence operations and has helped shaped debates and has influenced national policies.
The latest report focuses on data security in the healthcare industry, and the timing of its release couldn’t be more appropriate, in the week that followed the successful hacking of the nation’s second largest health insurer and caused the largest ever exposure of healthcare data with up to 80 million past and present policy holders potentially affected.
Brookings analyzed data breaches which had been reported to the Department of Health and Human Services’ Office for Civil Rights since 2008. The report indicates that HIPAA breaches have increased by 1800 percent since 2008, when the annual breach count was just 13. In 2013, the OCR received 256 reports of data breaches that had potentially exposed the records of more than 500 individuals.
In 2008, the total number of victims from the HIPAA breaches was approximately 500,000, yet in just six years that figure has risen to almost 9 million individuals. Healthcare providers have recorded the highest number of data breaches, followed by business associates, health plans and healthcare clearing houses.
Numerous Major HIPAA Breaches Predicted for 2015
HIPAA legislation has increased the standards of data security in the healthcare industry and has made it more difficult for hackers to steal healthcare data, but it is not possible to eliminate the risk entirely. Many organizations have struggled with bringing their organizations IT infrastructure up to date and have ensured full compliance. The report suggests that there has been little incentive for healthcare organizations to invest heavily in secure IT systems and this has left the industry particularly prone to cyberattacks.
Patients and health plan members may be shocked or outraged by the theft of their data, yet few would actually take their business elsewhere, as would happen in the case of a retail breach. In the retail industry there is high competition and companies that do not invest in data security stand to lose their customers to competitors.
The Brookings report suggests that in healthcare, where it is not so easy to change services, there is little financial incentive for IT investment. A health plan member cannot easily change health insurer and may be tied to a particular provider via a work health insurance scheme. Changing a doctor after a data breach is similarly unlikely to happen to any great extent.
Without an economic incentive to invest in digital security, such as the threat of losing business, major breaches will continue to occur. With the value of Social Security numbers and personal data so high, the number of attacks on healthcare institutions is only likely to increase.