Given what many called a banner year in healthcare data breaches, many industry professionals were happy to bid 2013 adieu. From the massive Advocate data breach to the Affinity Health Plan photocopier breach, healthcare executives finally had to face the music and tighten information security controls in a post-HIPAA/HITECH Omnibus world. Perhaps the ultimate wake-up call was delivered with the unprecedented Target data breach from late in the year. Now pressured by a better-informed public, lawmakers are starting to address the concerns of living in a un-secure data era.
Unfortunately, 2014 has not fared much better. Earlier this month, Virginia-based Riverside Health System reported a data breach affecting nearly 1,000 of its patients. Of course, compared to some of the more attention-grabbing breaches from last year or even the Target case, Riverside pales in comparison. However, the duration and not the quantity of breached records is what tells the story. Riverside personnel disclosed that the breach had continued for over four years until it was discovered late last year. Were it not for an internal company audit, Riverside patients could still have their social security numbers out in the public arena.This particular case underscores the importance of performing HIPAA-mandated annual security risk assessments. While no entity will ever be able to cover all of their data breach risks entirely, performing these critical assessments enable administrators to spot potential issues before a harmless security incident blows up into a full scale, headline-catching data breach.
A security risk assessment does not have to be a major organizational undertaking either. In fact, insurance carriers offering data breach protection plans frequently will offer to perform a full security risk assessment for you for free. Nevertheless, smaller organizations without such insurance policies in place can perform the assessments with any number of freely available tools on the web.We’ve been told time and again by federal regulators that the first thing that is checked when a breach was reported was whether the entity had performed a security risk assessment. Don’t allow your healthcare organization to be the model for what not to do.