According to a recent KPMG report on data loss, the healthcare industry’s greatest exposures for data loss are hard copy loss/theft, PC theft, and social engineering, ranking first (in a tie), second, and third against other sectors respectively for percentage of data lost. Further, more than any other sector studied, healthcare faces threats from every front that was examined, including the frightfully vague “unknown.”
On the positive side, the healthcare sector shows improvement in the last two years, but still remains vulnerable across a wide variety of data threats: hacking, PC theft, portable media, human/system error, web/network exposure, social engineering, malware, improper disposal, and hard copy loss/theft. PC theft represents around 1/3 of all data loss incidents in the healthcare and professional services sectors in the first half of 2012, and these two sectors also are at the top of the list of incidents where a third party was involved.
Although the data summarized in the KPMG report is derived only from publically available reports of data loss, KPMG views it as “directional” regarding the losses and their causes attributed to various industries. Hacking is on the rise, but fortunately is not as prevalent yet in healthcare as in areas such as financial services, where it is easy to monetize information rapidly. That said, as Electronic Health Records and Health Information Exchanges take hold, more private information—both Personal Health Information and Personally Identifiable Information—will become likely targets.
Our Insight. Your Advantage. Fighting a multi-front war to protect information requires more than isolated tactics. It requires a unified and strategic approach to information governance that focuses not only on compliance requirements, but also on risk reduction and leveraging the value of information. Although technology will invariably play a role, the good news is that improved information governance is made of much more, and does not require a six- or seven-figure technology purchase to get started. Instead, every organization, from the smallest Continuing Care Retirement Community to the largest multi-state health system, can find its way to Oz via the yellow brick road of mapping its data assets; ensuring it has a current, legally validated records retention schedule covering all types of information (not only medical records); and embracing policies, processes, and training to support responsible stewardship of its information. Husch Blackwell can help a little, or we can help a lot, but most important, we can help you get started. Whether you simply need an updated records retention schedule, help controlling your growing e-mail problem, or feel the need to develop better information controls generally, our Information Governance group has the unique mix of legal, technology, and records management experience to make it happen.