Hackers and Healthcare: Risk Mitigation for Protected Information

​According to an article published this week in Healthcareinfosecurity.com , once the federal tally kept by the United States Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) is updated with three new 2012 incidents, the count may exceed the dubious milestone of more than 20 million individuals who have been affected by major healthcare information breaches. This list, which tracks breaches affecting 500 or more individuals, has been growing since its inception in September 2009, which commenced when the HITECH Act-mandated breach notification rule went into effect. The HITECH Act in part increased the maximum fines for HIPAA related violations from a previous maximum of $250,000 per year to a new high of $1.5 Million dollars per year.

Similarly, a 2011 study by the Ponemon Institute found that despite an increase in Health Insurance Portability and Accountability Act (HIPAA) compliance in the healthcare industry, data breaches are increasing, costing the healthcare industry $6.5 billion annually (an average of $2.2 million per breach). The frequency of data breaches among organizations in this study has increased 32 percent from the previous year. Many of these were due to employee mistakes and sloppiness – 41 percent noted unintentional employee action.

While much of the coverage of the Act has centered on the requirements it places on the healthcare industry, HIPAA is designed to protect privacy rights while also allowing for the electronic flow of health information needed to provide and promote high quality health. So how can an organization safely balance the need to collaborate and share information while at the same time complying with regulatory requirements and protecting patients’ personal health information (PHI)?

A multi-prong approach which encompasses employee education, training, and awareness along with technical enforcement is required. Access and Rights Management Controls and monitoring, along with change configuration management and audits can all lead to a more secure and less vulnerable environment. For organizations using Microsoft SharePoint as one of their primary systems for collaboration or enterprise content management – which, according to AIIM’s “State of the ECM Industry 2011” report, includes 60 percent of organizations and 70percent of larger organizations – this kind of automation and continuous monitoring is available from AvePoint. AvePoint’s Healthcare Kit allows chief privacy officers, chief information security officers, chief medical officers, and administrators to implement automated access and content controls for their enterprise-wide SharePoint systems (and file share systems) to prevent breaches from happening. However, if and when a breach does occur, the Healthcare Kit also enables swift detection of those breaches to track, respond, and recover. This mitigates the likelihood of a catastrophic incident, and helps to feedback information that will lead to system hardening and improvements for the continuous lifecycle that must make up a successful risk management program. What are your thoughts on mitigating risk and protecting information in SharePoint? Leave a comment and let us know!