Data Privacy Day: Four Essential Facts

As Lee Barrett wrote earlier this year, a person’s healthcare record is five times more valuable on the black market than a credit card number because it contains a much deeper well of information.

Healthcare, of course, isn’t the only part of the economy worried about cybersecurity. To call attention to the need for education and better security measures, the National Cyber Security Alliance (NCSA) celebrates Data Privacy Day each year on January 28.

To highlight Data Privacy Day, Dan Konzen, campus chair for the College of Information Systems and Technology at the University of Phoenix speaks on four essential aspects of security to keep in mind. Konzen's center conducted a poll that found 52% of Americans feel less secure today about their information than they did 5 years ago, and 47% have experienced a breach. When it comes to healthcare cybersecurity, here are five things to know.

1. Cybersecurity breaches are increasing each year

Konzen said the number of attacks is increasing, but, fortunately, “As the number of exposures occurs in and out of healthcare, people are more aware.” The best measure of the growing cybersecurity problem can be found on the HHS reporting site, where breaches that affect more than 500 people must be recorded under the HITECH (Health Information Technology for Economic and Clinical Health) Act. Last year saw 316 reportable breaches, which is 17.4% of the total since reporting began in 2009.

2. Training is essential to avoid breaches

Konzen said the best hardware and software won’t prevent an attack if staff are not taught what to look for—especially when using e-mail. But there are other ways security is breached, such as leaving charts where other can see them, or using a sign-in system that leaves patient signatures visible. For patients, Konzen said, these are things to look for to gauge whether your provider has good cybersecurity practices.

3. Cybersecurity is not a “do it yourself” task

For most healthcare providers and systems, Konzen said cybersecurity “is not their wheelhouse.” Most use a third party for their electronic health records (EHR) or for other security training and services. Konzen said a key step after staff training is to have a third party “test” the system to see if employees know what to do when they get a suspicious e-mail. Most breaches, he said, happen due to errors by health system employees, not a breach of the third-party vendor. That said, Konzen recommends a thorough vetting of EHR or other security vendors before health systems sign a contract. Barrett, who is executive director of the Electronic Healthcare Network Accreditation Commission, reports that underwriters are increasingly looking for third-party accreditation.

4. Have a response plan

As Barrett noted recently, the sharp rise in breaches in 2016 means that more and more providers have been affected by them, and he notes that 80% of breaches are discovered by outside groups or audits. Konzen said healthcare providers and health systems must have a response plan in place. Some notification requirements are spelled out by law, but others—both technical steps and efforts to restore public confidence—are not. Right now, the University of Phoenix poll finds 70% of Americans trust the healthcare industry with their data, compared with 41% who trust the government.

A version of this story originally appears in the American Journal of Managed Care.