Small medical practices greatly at risk for data breaches
■ They often lack sophisticated technology to deter thieves, making them bigger targets.
By Pamela Lewis Dolan — Posted Jan. 16, 2012
Data breach experts are issuing a warning to small practices -- don't be the vulnerable target that data thieves assume you are.
The Top Cyber Security Trends for 2012, as compiled by Kroll's Cyber Security and Information Assurance, reported that small practices are more susceptible to security vulnerabilities because they are "the path of least resistance." Many rely on outdated technology. Basic security protections, such as proper use of encryption, often are overlooked as practices focus on meeting regulatory requirements, such as those related to meaningful use. (See correction)
Small practices often lack the technical sophistication to know what tools to put in place to avoid attacks, said Jason Straight, managing director of Kroll's Cyber Security and Information Assurance unit. Or they have the right tools, but the tools are not implemented or monitored correctly, he said. One example is having incorrectly installed data encryption.
Large organizations have become more "hardened," meaning they spend more money to safeguard their data, said Beth Givens, founder and director of the Privacy Rights Clearinghouse, an education and advocacy group that has tracked publicly reported data-breach trends across all industries since 2005. "It only stands to reason [that data thieves] would go after small practices," she said.
Breach experts have long said medical data are among the most valuable because of the depth of the information. To thieves, small organizations are often the easiest source of this data because they lack the sophisticated security measures used by their larger counterparts. Because nearly three-quarters of practices are one- or two-doctor operations, there are simply more of them to target compared with large organizations. The advice given to practices is to take steps to ensure they aren't the victims of a breach.
The costs of a breach
Three of the six most significant data breaches in 2011 occurred at health care organizations, resulting in 11 million patient records being put at risk, according to a year in review report published in December 2011 by the Privacy Rights Clearinghouse.
Givens said medical data are valuable to thieves because of "the triple whammy" -- sensitive medical information, financial data and other identifying data that can be used for identity theft.
When a breach occurs, the practices are faced with the cost of notifying all of the affected patients and usually paying for identity theft and credit monitoring for them. The per-patient costs associated with a breach have risen to more than $200 in 2011 for notification and loss of income, according to the Ponemon Institute, a privacy research center based in Traverse City, Mich.
Many breaches also bring to light deficient IT systems that the practice must replace immediately. In addition, the practices could face fines from the Dept. of Health and Human Services.
Although breaches at large medical organizations often get more media attention because of the sheer number of records involved, that shouldn't be an indication that small practice owners are in the clear, experts say.
It's hard to put an exact number on small practice breaches because breaches generally are categorized by industry and not broken down by practice size, Givens said. There's also a good chance many of the breaches in small practices aren't reported because they don't fall under the state or federal reporting requirements. For example, California doesn't require the reporting of paper breaches, and HHS doesn't require the reporting of breaches affecting fewer than 500 people.
A query of the HHS breach database and the Privacy Rights Clearinghouse's database shows dozens of cases involving individual physicians and small medical practices that were victims of cyber attacks in 2011. Cases include the hacking of network servers, office burglaries, inside data thefts, and incidents caused by information technology problems that may have been malicious attacks or errors that resulted in data exposure. Givens said she is sure there are "a lot more breaches than are posted on our website."
Verizon's 2010 Data Breach Investigation Report, published in July 2011, found that the number of breaches caused by outside hackers at health care organizations was on the rise in 2010. The report's authors said hackers tended to target small organizations in hopes that their information is more vulnerable. That report is an analysis of cases investigated by Verizon Business and the U.S. Secret Service. Authors of the report concluded that small practices are being targeted because of their lack of sophisticated technology.
Straight said many times practices planning to upgrade their IT systems are too lax in routine maintenance, because they don't want to spend valuable time and resources to test or upgrade a system that will be replaced in a few months. Or the practices place routine maintenance at the bottom of their list of priorities as they deal with the economy and drops in revenue -- especially those that contract outside help for IT tasks.
Small practices also are being targeted through email. Straight said a common tactic is for the hacker to send a legitimate-looking email that is seemingly from a business partner. The email either asks for confidential information or infects the recipient's computer with malware when a link is clicked.
Straight offered these tips to help keep practices safe:
- Create a culture of data security. Most small practices can't afford to hire a data security team, therefore data security should become the job of everyone in the practice. Continuous training and the enforcement of existing policies will help everyone in the office stay aware of security as they perform their daily duties.
- Have an active incident response plan and team. Kroll's 2012 security trends report said more organizations will realize that incident response teams should be upgraded from a group that mobilizes only if and when an incident occurs to a team that is involved in day-to-day operations. For small practices, the team should include everyone on staff and possibly a third-party contractor who will help develop the response plan and provide assistance if an incident occurs. Employees should receive training on the response plan at least twice a year and practice it.
- Have a document retention policy. Because it's much easier to keep more data with an electronic medical record system, many organizations keep more than they need to, Straight said. This can lead to "data leakage," he said.
"The more data you push through the pipes, the more likely you'll spring a leak somewhere," he said. Most practices have a policy stating that after a certain period, records will be destroyed unless a patient asks to copy his or her records. "Most practices have a policy like that, but how many actually destroy these records or at least convert them to a form that makes them indecipherable? The main point is: Document retention and data security are inextricably linked."