A recent article in American Medical News notes that the greatest risks to healthcare providers in the area of maintaining patient privacy isn’t offshore hackers or rogue employees, but rather simple accidents.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

ID Experts today announced a new and unique solution for data breaches that involve protected health information (PHI) and associated risks of medical identity theft.

With the passage of the HITECH Act last year and the clarifying Rules published by Health and Human Services (HHS), healthcare organizations now face greater scrutiny and higher risks when it comes to patient privacy.

Historically, there has been the perception of a somewhat lax environment relative to the enforcement of HIPAA privacy regulations. With HITECH only just recently becoming enforceable, the first lawsuit has already been filed by the Attorney General of Connecticut against Health Net of Connecticut concerning their delayed response to a data breach incident that occurred months ago. If this is any indicator, the enforcement environment for HITECH is likely to be very vigorous.

With this backdrop, ID Experts created a data breach remediation offering that is tailored to meet the needs of healthcare providers and payers, and their business associates.

Until recently, common practice has been for organizations that have a data breach incident to offer victims a year or two of credit monitoring. Unfortunately, credit monitoring alone is woefully inadequate in helping individuals deal with the risks of medical identity theft and health insurance fraud. With that in mind, ID Experts created FraudStop Healthcare Edition.

FraudStop Healthcare Edition combines several components that help individuals affected by a data breach detect and address the identity theft issues that can result from a data breach. These include:

- Credit montoring

- CyberScan, a tool that scours cyberspace for the buying and selling of personal information including for use in insurance fraud

- Healthcare Identity Protection  Toolkit, a new and unique offering from ID Experts that includes a collection of tools, checklists, resources and guides for assisting an individual in monitoring their medical identity and resolving fraud issues

- Identity theft reimbursement insurance

- Fully managed identity theft restoration services

Together, this package provides the most robust offering in the market today for healthcare providers dealing with data breach risks to assist patients in ensuring their privacy.

If your organization is in the healthcare industry and subject to the HITECH Act, you now have a better and more caring answer for your patients when dealing with occasional, but typically recurring, data breach issues.

The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.