Healthcare data has confidential, person, and sensitive information which should remain secure. Regardless of the efforts to facilitate protection of patient data, data breaches happen and could lead to identity theft, fraud, and other destructions. This study helps to determine the correlations between data breaches, affected individuals, covered entities, business associates, and location of data storage. study findings indicate that more than 70% of data breaches are executed by healthcare providers and indicate that security incidents frequently involve various digital or electronic information. Also, the findings show the threats continue to evolve and factors more than just data theft and loss lead to breach incidents, unwanted exposure, and security events. the study gives healthcare leaders to important knowledge to apply towards minimizing security risks, protecting confidential healthcare data, and minimizing breach mitigating and costs associated with response to mitigation.
1.2 Problem statement
1.3 The aim of this study
2.0 Study findings
2.1 Risk associated with data breaches
2.2 data theft and breaches
2.3 Covered entities and business associates in healthcare
2.4 Potential impacts associated with data breaches
3.0 Business solutions
3.1 Applications to professional practice
3.2 Implications for social change
3.3 Recommendations for action
In today’s quickly advancing technologies around the world, data security is recognized as among the key important aspects for operations of institutions and businesses. Hospitals hold a huge quantity of personal data that can cause an enormous threat to any kind of institution in terms of a data breach (Glenn & Monteith, 2014). Typically, data breaches occur in several forms like unintended disclosures, physical document loss, stationary device breach, portal device breach, insider breach, malware or hacking, payment card fraud. This study examines data breaches within healthcare institutions.
Based on data security point of view, healthcare institutions are vital since they hold huge quantities of data that belongs to a huge number of populations. In response to a changing regulatory climate, fears of unwanted data exposure, and rising public concern, healthcare professionals must make sure that medical information is protected and secure. Medical data contains certain sensitive information regarding a person like name, address, data of birth, details concerning particular medical problems, other personal information, diagnosis of particular health problems, treatment, insurance and financial information, and medications. In the U.S, both business and governmental leaders have employed different strategies aims to address data breaches (Wikina, 2014). Some actions that are employed to enable the prevention of data breaches involve enactment of breach notification regulations, mandated data privacy requirements, and increase spending to fund security initiatives. However, breach incidents continue to happen. Organizational leaders are known be unprepared to address security matters and entirely address threats associated with information security. But businesses need to implement sufficient protect to secure and properly management of data from increasing potential vulnerabilities, threats, and exploits. Thus, to better equipping technology and healthcare professionals with information which they may utilize towards implementing sufficient safeguard and managing security threats, healthcare leaders should comprehend the correlation between a variety of factors which could lead to data breaches.
Data breaches can cause legal exposure, reputational damage, and financial harm, and consequently leading to business associates and provider losses. Accidental loss happening from major device theft accounted for about 77% of care breaches and about 30% of breaches concerned with business associates in 2015. In 2016, an estimate of 75% of breaches were associated with systems malfunctions and errors and about 47% of breaches were caused by hacking and theft. Every year, breaches costs institutions approximately $7 billion and cybercrime cost consumers billions (Abouelmehdi, Beni-Hessane, & Khalofi, 2018). The key problem caused by breaches is that the concern leads to reputational, financial, and legal damages. But the main challenge is the fact that some care professionals don’t understand the connection between business associates, data breaches, number of people affected, covered entities, and data storage locations.
This study investigates the relationships between business associates, data breaches, covered entities, storage locations of data, and individuals affected. Therefore, the study offers healthcare professionals as well as other business practitioners with understanding, information, and knowledge of correlations linked with data breaches. Healthcare leaders may apply information gained from our study to deploy proper preventative measures, change business practices, and enable effective management of data security. The study promotes the need for social change in which healthcare professionals use the recommendations and findings of the study show the need to better secure and enhance private medical records of individuals and patients. Hospital leaders should use the findings of the study so that to reduce data security risks, protect confidential healthcare data, and minimize costs linked with breach mitigations as well as response activities.
2.1 Risk associated with data breaches
For many reasons like privacy concerns, costs, possible legal challenges, including other implications, the need to protect sensitive and private health data typically is a matter of rising significance for leaders of today’s world. Sensitive and personal information can include trade secrets, client records, proprietary or intellectual company data, information about patents, and clinical records. Moreover, potential financial implications happening as result of security breaches as well as the cases of security breaches can lead to increase awareness about information security matters amongst organizational leaders (Angst, Block, D’Arcy, & Kelley, 2018). Consumers frequently take legal actions against companies because of the increase in data breaches that involve personal information, identity fraud, and theft allegations. Mitigation costs associated with data breaches are higher in healthcare than mitigation costs linked with breach incidents in other industries that can be a worry for various business leaders associated with health industry.
Across different industries, breaches of information security are quickly on the increase and because of the confidential nature of health data, therefore the healthcare industry is commonly affected by threats of information security. Data breaches happen regularly and therefore expenses linked with activities associated with mitigation could be expensive (Kwon & Johnson, 2014). Data breaches occur frequently and costs linked with breach cases are the same as operational costs of carrying out business.
It costs firms about $202 as a result of exposure of just one record breached, and such costs can rise significantly on the quantities of records exposed in a particular incident. Thus, to minimize the possible effect of threats of information security, leaders of the organization should store and retain only minimal and few quantities of information required to carry out their businesses. Therefore, entity leaders who are fond of retaining more information than essential to carry out business significantly increases the potential impacts and risks of data breaches. Despite implementing strict security measures, threats and vulnerabilities are continuously evolving. The fact is that there is no single information system that can be completely secure as data breaches unavoidably happen (Angst, Block, D’Arcy, & Kelley, 2018). Furthermore, it seems that there is no industry which cannot be affected by data breaches. Normally, security incidents causing exposure of sensitive information happens nearly in all main industries like financial, hospitality, telecommunications, manufacturing, healthcare, public sector, non-profit, military and governmental. However, healthcare leaders should be responsible to implement properly security programs so that to protect, secure, and safeguard the data of their organizations. Moreover, healthcare entities require efficient solutions to reduce the effects of security threats.
Healthcare data normally contain confidential and valuable information which attackers could target. But in the U.S., the HIPPA law has rules for institutions and firms to adopt electronic, technical, and administrative measures so that to assist in ensuring that protection, security, and confidentiality of information associated with healthcare (Abouelmehdi, Beni-Hessane, & Khalofi, 2018). Other nations have similar provisions that govern privacy of medical data. In case, healthcare data is unfortunately exposed in a breach incident could result to patient safety, operational, as well as regulatory risk for institutions. Malicious activities taken against hospitals, clinical practices, and medical institutions represented about 71% of attacks whereas other various attacks are targeted to pharmaceutical firms.
Data breaches linked with accidental exposure or theft could result into the exposure of medical information. Possible security risks linked with healthcare data involve exposure or loss of information, disruption or theft of devices, or whatever downtime of important infrastructure utilized to facilitate supporting of healthcare services. Moreover, unintentional accidents or theft could cause risks and result to the exposure of several medical records of patients. During 2009-2012, the reports of several of the data breach cases taken to DHHS were associated with accidental exposure or theft. During 2013, a care staff working for a particular university hospital-based institution was found guilty and charged of utilizing valid records to steal and consequently sell records of patient that contained medical record addresses, names, and also numbers (Angst, Block, D’Arcy, & Kelley, 2018). Another particular incident involved a contractor attached to same university’s hospital, downloaded records accidentally and improperly onto a laptop. The records contained personal information and medical records of thousand patients. Many other related incidents also occur every day. For example, patient information accidently exposed can happen when researchers fail to store confidential information meant for internal or local usage only and data get exposed to unauthorized individuals.
Data losses and breaches occur due to several reasons. Data breaches majorly occur as a result of loss and theft. Theft accounts for about 47% of breach incidents and an estimate of 27% of breaches associate with some kind of data loss. Most incidents of HIPAA violations occur as a result of data breaches associated with unintentional loss or employee theft. Generally, there are three major factors that lead to data breaches, and these include external employee theft, insufficient security and disposal of sensitive data, intrusion attempts or external hacking (Abouelmehdi, Beni-Hessane, & Khalofi, 2018). Main cause of several organizational data breaches includes insider threats or employee malfeasance. outsiders conduct 60% of attack while about 40% of breach incidents are committed by insiders working within various firms.
However, there are other causes that may lead to data breaches. Breaches could happen when criminals steal vital information and passwords by exploiting vulnerabilities within web applications. Various factors can result into data breaches which could involve insider or external intrusion of attackers, data loss may occur unintentionally, insiders who utilize valid credentials so that to steal, exploit or abuse confidential data to get profit, employee unintentional or accidental data loss, and dissatisfied employees and patients who could target some systems for disruption or damage (Wikina, 2014). Employee inappropriate activity, negligence, and malfeasance could cause data breaches. Furthermore, data breaches also could happen whenever medical devices which work on pre-packaged commercial software containing software vulnerabilities which attackers could utilize to exploit interconnected network of medical systems.
Also, the use and proliferation of portable and electronic devices could add much complexity within the information security. For example, criminals can use illegal activity to penetrate electronics, which could have enormous impacts on businesses. Criminals can sell stolen medical information at a high price in the black market (Angst, Block, D’Arcy, & Kelley, 2018). The use of automation technologies and networked, interconnected solutions systems within healthcare could cause spread software viruses, hacking incidents, data privacy risks or other matters contributing to system malfunctions and interruptions. Hackers frequently target healthcare and medical systems as they are source of information that they can get and utilize to do fraudulent activity like selling medial data on the black market to get huge profits.
There are many medical entities like organizations, insurance firms, and hospitals are all involved in the management and protection of health information and medical records. ‘Entity’ is a term that implies that the kind of governmental agency or organization covered based on the privacy breach regulation. The Final Privacy Rule and the HIPPAA law govern covered entities and outline protection requirements and disclosure rules for health information and specify the permissible and appropriate use of medical/healthcare data (Glenn & Monteith, 2014). But certain medical entities normally are not regarded covered entities and therefore are not subjected to HIPPAA laws. The privacy regulations are only applicable to medical facilities which enable electrical transmission of health information.
Based on the HIPAA regulations, covered entities and business associates have to protect the availability, integrity, and confidentiality of medical data of patients and could disclose confidential health data only in some conditions. Healthcare professionals should get consent to reveal personal information and also should apply proper security safeguards, controls, and measures to maintain and secure reasonably the integrity associated with healthcare systems (Glenn & Monteith, 2014). Under the HITCH regulations, business associates and medical entities have to report any kind of unauthorized disclosures associated with healthcare information and violating such rules can lead to severe penalties. Both medical service providers and business associates could face civil and criminal penalties as a result of exposing healthcare data inappropriately.
Healthcare laws are applicable to organizations, medical entities, and venders dealing with mobile application solutions. The DHHS publishes and maintains security standard which are applicable to various medical entitles like physicians, clearinghouse, health plans, and other providers. The DHHS security standards require business associates and medical organizations to protect, secure, and safeguard healthcare information against the breaches of data. Covered entitles must observe various HIPPA regulations which include rules like implementing procedures and policies to safeguard electronic medical data as well as preventing unwanted disclosure of medial information (Glenn & Monteith, 2014). Otherwise, such entitles could be fined as much as $1.5 million because of violating rules. Under the HIPPAA regulations, regulators can impose fine both covered entities and business associates for violating compliance as well as failing to ensure protection of medical data. The HIPPAA and HITECH regulations include responsibility for medical entities and covered entities to protect confidential medical data and include rules for potential penalties and fines if medical professionals breach patient information. Also, the HITECH regulations include security provision, standards, and legal abilities for healthcare service providers like clearinghouses and health plans to secure and protect private health information. Moreover, medical applications which store personal health and medical data used in some healthcare entities must observe some HIPPAA security standards.
Data breaches and also unwanted exposures of information may occur because of unauthorized trials to get accessing computing systems through hacking, stealing of computing devices that contains confidential records, and inappropriate disposal, destruction or handling of data. External venders, outsourced partners, and third-party associates can cause data breaches that may ruin the reputation of the organization and affect the overall strategic value of the firm. Business associates and third-party venders can expose patient information that represents a main cause and rapidly rising source of data breaches (Wikina, 2014). Sources that cause data breaches include inappropriate activities and system malfunctions of third parties. External third-party venders or third-party business associates commonly involved themselves in data breaches.
Organizational leaders commonly depend on information systems so that to conduct their businesses. However, people could expose information within these systems, thus leading to data breaches, loses, and unwanted exposures. For instance, a great number of healthcare professionals regularly utilize smartphones and electronics devices. Nowadays, medical practitioners have access to several applications through electronic devise and mobile phones which they can utilize to manage and facilitate patient care (Abouelmehdi, Beni-Hessane, & Khalofi, 2018). Now care providers can conduct functions like updating patient medical records and processing prescriptions via a computer or mobile device. But a changing the landscape of technological logics could contribute to a rising data privacy difficulties, vulnerabilities, and challenges for medical practitioners whose responsibility is to protect sensitive data of clients. Data breach incidents can affect a firm and affect the ability of an entity to continue operations.
Security incidents and data breach can affect safety and health of patients and have individual and organizational impacts. Breaches and unwanted disclosure of sensitive and personal data can lead to identity, financial, and medical fraud, thus negatively affecting consumers. Breaches incidents could affect health safety of individuals and quality of patients care. Attacks and breaches on health information systems could affect important patient services like individual insulin pumps and portable implantable devices or negatively impact other business associated with healthcare services (Angst, Block, D’Arcy, & Kelley, 2018). Data breaches can put healthcare systems offline and/or can cause prolonged disruptions of care services. Security incidents could cause delays to happen in treatment of patients, decrease staff performance, and cause financial impacts for care organizations in case systems are offline. Data breaches can cause damages such as merging, tampering or wrongful modification of personal healthcare information with other healthcare records. Healthcare providers may erroneously utilize information found within breached records which could contribute to unsuitable treatment, diagnosis, or other impacts, and therefore could affect overall health of a patient or cause a patient’s death.
Breaches of care data can have three major impacts reputational, health, and financial. Data breaches could affect an organization with respect to response, investigative, and mitigation costs. Security incidents can cause reductions in stock prices, exposure of sensitive information or trade secrets, and reputational effects (Kwon & Johnson, 2014). Though it is not easy to determine the precise costs caused by data breaches, its impacts might involve unwanted costs of penalties and fines, expenses to cover affected security systems, legal costs associated with challenges filed by stakeholders, and also payments for compensations to the affected individuals as a result of data breaches.
3.1 Applications to professional practice
The study findings obtained above could be applied to professional practice, and both business leaders and managers can use the findings to decrease the security risks. Also, the findings indicate that data breach cases frequently affect and affect many individuals. Medical data contain most confidential, sensitive, and personal information about patients and individuals. Managers may consider decreasing the quantities of electronic computing devices like portable devices, mobile phones, laptops, and others which transmit, store, and process sensitive personal information, therefore decreasing the risk and potential of unwanted exposures. Furthermore, healthcare leaders may consider collecting minimal and storing essential or critical components of personal information associated with health records and should think of avoiding over collecting confidential and sensitive information (Wikina, 2014). Therefore, collecting sensitive and personal health data can be restricted only some essential records so that to reduce risks of exposures and significantly minimize the quantities of affected individuals whenever security breaches happen. Business leaders may consider managing and maintaining confidential health information based on required one-time information only so that to enable prevention of exposure of data breaches in the future.
The findings show that an estimate of 75% of data breaches are mainly executed by care professionals, and non-healthcare providers like clearinghouses or health plans are normally not involved in the most cases of security breaches. The findings show that health organizations are at risk of data breaches because of their business deals with covered entities. Therefore, healthcare providers are advised to strengthen their security prevention efforts and invest in effective preventive security measures (Abouelmehdi, Beni-Hessane, & Khalofi, 2018). The nature of security incidents and the landscape of threats are constantly changing. Business associates are not involved more than 95% of data breaches as mots breaches are executed by insiders. To continue lessening of the effect of data breaches that are caused by external partners and business associates, healthcare leaders should continue to create effective relationships and partnerships as this would lead to decreased risks. But healthcare managers should assess, examine, and evaluate the security control and infrastructures within their business as findings shows that data breaches normally originate within healthcare entitles instead of originating with third-party venders, business associates, or external entitles.
Organizational leaders have a regulatory obligation and legal duty to protect personal information and prevent data breaches. A crucial step in preventing data breaches within healthcare is based on organizational leaders to recognize threats which contribute to data loss. Collaboration, information sharing, and communication among private and public security leaders is identified as a key element of an effective information security program and risk management strategy (Kwon & Johnson, 2014). The findings encourage increased collaboration, discussion, dialogue, and interest among private and public security leaders about information security strategies band risk management to contribute to positive organizational and societal impact.
Healthcare leaders, security professionals, and other individuals with responsibility of managing and securing confidential or sensitive healthcare information will finding the findings of the study as useful and relevant. The findings and information of this research may be appropriate for tradeshows, conferences, and seminars aimed to assist organizations in strengthening and protecting information security programs and practices. The findings of the study identified potential managerial recommendations which healthcare leaders and security professionals may get useful. The study identified that more that 70% of data breaches involve care professionals. A potential approach that healthcare providers may adopt to minimize data breaches in the future is to streamline and recognize the number of devices which store sensitive data (Wikina, 2014). Organizations can restrict the copying and storage of personal data to non-encrypted portable devices. Restricting the quantities of devices which store sensitive data can contribute to less sensitive information that could be available for attacks. Therefore, could minimize societal risk and minimize potential damages and harm to individuals and consumers that occur as result of unwanted data loss. The study identified that about more than 95% of data breaches do not involve external third-party venders or business associates. Since data breaches are not linked with data maintained and managed by external venders, therefore security incidents could mostly occur as a result of data stored and maintain internally within healthcare entities (Kwon & Johnson, 2014). To reduce societal effects of security breaches, managers should think about implementing strong automatic detection and monitoring programs to recognize security threats before occurrence of data breaches. Managers can prevent unauthorized data loss by deploying endpoint security solutions to regularly monitor data and routinely recognize policy violations.
Data breaches can lead to reputational damage, identity theft, and financial fraud, and could result into a regulatory risk connected with legal challenges, fines, and other penalties for not complying with healthcare regulations. Security incidents that involve healthcare information may lead to fraudulent submission of healthcare/medical claims, exposure of confidential patient healthcare records, inappropriate treatment and diagnosis, consequently leading to inaccurate or erroneous information, or insurance and healthcare billing fraud. Furthermore, costs related to incident response and breach mitigation could hinder a long-term financial viability of an organization. Thus, safeguarding sensitive, confidential, and personal healthcare information will possibly increase the stability of strategic priority of business leaders and security practitioners. There are cost savings and operational benefits achieved when firms digitize and automate healthcare data, but attack mechanism, exploits, and security threats remain potential risks. The study findings indicate that threat landscape is constantly evolving and seems to come with several factors other than data theft and loss, which lead to breaches and unwanted exposure of medical data. Thus, to efficiently manage data security and reduce potential reputational, financial, and societal damages occurring as a result of data breaches and security incidents, company managers need to evaluate, assess, examine, and constantly monitor information security programs existing and apply suitable preventive measures which minimize the effect of information security risks and data breaches.
Angst, C., Block, E., D’Arcy, J & Kelley, K. (2018). When do IT security investments matter? accounting for the influence of institutional factors in the context of healthcare data breaches. MIS quarterly, 41(3), 893-926.
Abouelmehdi, K., Beni-Hessane, A & Khalofi, H. (2018). Big healthcare data: preserving security and privacy. Journal of big data, 5(1), 34-47.
Wikina, S. (2014). What caused the breach? an examination of use of information technology and health data breaches. Online research journal perspectives in health information management, 11(1), 5-12.
Kwon, J & Johnson, E. (2014). Health-care security strategies for data protection and regulatory compliance. Journal of management information systems, 30(2), 41-66.
Glenn, T & Monteith, S. (2014). Privacy in the digital world: medical and health data outside of HIPAA protections. Current psychiatry reports, 16(3), 494-512.