Over the weekend I read this study from the Ponemon Institute revealing that not only have nearly 90% of U.S. health businesses suffered data breaches during these past two years, but also the losses amount to a jaw-dropping $6.2 billion per year.
It’s Ponemon’s sixth annual report on the privacy and security of protected healthcare data, looking both at covered entities (CE) and, for the first time, business associates (BA) as defined by HIPAA and section 45 CFR 160.103 of the Federal Regulations. The inclusion of BAs in the Ponemon study is timely: according to David Holtzman of CynergisTek, Phase 2 of the Office for Civil Rights (OCR) HIPAA audit program has already begun. In last week’s live Zix Webinar, David estimated that during the latter half of 2016, around 100 BAs will be selected for OCR desk audits in addition to an estimated 200 CEs. The selected organizations will have fairly onerous duties in order to fulfil the audit requirements; hence all BA and CEs need to be prepared already. David covers these audit requirements in the recording of the Zix Webinar that can be heard here.
The Ponemon study makes grim reading: 79% of healthcare organizations say they were hit with two or more data breaches in the past two years while 45% suffered more than five breaches. According to Ponemon:
“The research found that many healthcare organizations and their business associates are negligent in the handling of patient information. While external threats dominate, internal problems such as mistakes—unintentional employee actions, third-party snafus, and stolen computing devices—are equally a problem and account for a significant percentage of data breaches. In fact, 36 percent of healthcare organizations and 55 percent of BAs named unintentional employee action as a breach cause.”
These findings align with our experience that many breaches are due to employees unintentionally sending PHI to the wrong recipients. This is why among CEs and BAs, ZixQuarantine has become a popular addition to Zix’s market-leading email encryption solution. ZixQuarantine is a data loss prevention solution (DLP) for email. Using the same on-premises or cloud technology already proven for email encryption, HIPAA related policy and content filters scan outbound email – and their attachments – for sensitive data, and the recipients of that data, to detect if the employee has made a mistake. If a potential breach is detected, ZixQuarantine stops the outbound email and quarantines it, thus giving your organization a second chance to be sure the correct data is going to the correct recipient.
More information about ZixQuarantine can be found here.
A recording of the Zix Webinar on Phase 2 of the HIPAA OCR Audits can be found here.