Manatt Health Partner Comments on Healthcare Data Breaches
"How to Prevent Healthcare Data Breaches (and What to Do If You're a Victim)"
December 20, 2012 - Manatt's Robert Belfort, a partner in the firm's Healthcare Division, spoke to CIO about how organizations can avoid data breaches.
CIO reports that healthcare organizations are prone to data breaches, given that personal health information is worth 50 times more to thieves than credit card or Social Security numbers. In the last three years, more than 500 breaches affecting 500 or more patient records have been reported, and the Office for Civil Rights within the U.S. Department of Health and Human Services estimates that close to 60,000 smaller breaches have occurred within the same time frame.
Most data breaches begin with a moment of, "You're not going to believe what just happened," said Belfort. It could be a CD with patient data that goes missing from a storage firm when the employee who signs for it suddenly resigns, or it could be a laptop taken from a car parked in an otherwise nondescript residential neighborhood.
Once an incident is discovered, the first step is determining if a breach actually happened. That's no small task, Belfort said, as there are differences between data breaches and system vulnerabilities or violations of an organization's security policy. Vulnerabilities and violations should be noted, both for auditing purposes and to educate employees about data security, but they don't automatically constitute breaches.
Even if a breach has occurred, Belfort continued, there are two additional questions to consider: Did unauthorized or improper access to personal health information (PHI) occur, and, if so, is there any risk to the organization? If an unencrypted laptop containing PHI was in a car that was stolen and subsequently dumped at the bottom of a lake, then the risk of anyone having seen that PHI is low, he said.