cyber liability insurance.

(http://www.xtelligentmedia.com) Become a member Login HealthITSecurity

(http://healthitsecurity.com/)

Home (http://healthitsecurity.com/) News (http://healthitsecurity.com/news) Features (http://healthitsecurity.com/features)

White Papers & Webcasts (http://healthitsecurity.com/resources/topic/it-security) HIPAA and Compliance (http://healthitsecurity.com/topic/hipaa)

EHR Security (http://healthitsecurity.com/topic/ehr-security) HIE Security (http://healthitsecurity.com/topic/hie-security) Mobile Security (http://healthitsecurity.com/topic/mobile-security)

Data Breaches (http://healthitsecurity.com/topic/data-breaches) Cloud Security (http://healthitsecurity.com/topic/cloud-security)

Patient Privacy (http://healthitsecurity.com/topic/privacy)

By Jacqueline Belliveau (http://healthitsecurity.com/about-us) on March 31, 2016

Tweet 18

Healthcare data breaches accounted for the most data security incidents in 2015, the second annual Baker Hostetler Data Security Incident Response Report (http://bakerlaw.com/files /uploads/Documents/Privacy/2016-Data-Security-Incident-Response-Report.pdf) stated.

The report analyzed the lessons learned from over 300 data security incidents that were managed by Baker Hostetler in 2015. Researchers found that companies, especially in the healthcare industry, need to be more “compromise ready.”

According to the report, a compromise ready company has preventative and detective security capabilities, procedures for gathering threat information, staff training and awareness, proactive security assessments, vendor oversight, updated incident response plans, regulatory understanding, and cyber liability insurance.

9

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law) Like Like

CareFirst Health Data Breach Affects 1.1M Individuals

(http://healthitsecurity.com

/news/carefirst-health-data-breach-affects-1.1m-individuals)

Computer Virus Possibly Exposes PHI in Healthcare Data Breach (http://healthitsecurity.com /news/computer-virus-possibly- exposes-phi-in-healthcare-data-breach)

Why Cybersecurity Breaches Are on the Rise for Healthcare

(http://healthitsecurity.com /news/cybersecurity-breaches-rise-healthcare)

Are Existing Issues a Key Healthcare Data Breach Cause?

(http://healthitsecurity.com/news/are- existing-issues-a-key-healthcare-data-breach-cause)

Coordinated Health data breach may impact 700 patients

(http://healthitsecurity.com /news/coordinated-health- data-breach-may-impact-700-patients)

The report emphasizes the proactive approach to

data security (http://healthitsecurity.com

/news/avoiding-a-reactive-approach-in-federal-health-data-security) since it can assumed that some type of data security event will eventually occur.

“The hardest hits to a company’s reputation are more likely to occur when the notification shows that the underlying cause should have been prevented or that the company is viewed as not handling the response well,” the report pointed out.

Out of all the industries that were studied, healthcare accounted for 23 percent of data security incidents in 2015. For the second year in a row, healthcare was one of the top affected industries studied.

Despite the high frequency of events, healthcare data security incidents were not as severe as other industries.

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

“And again, while frequency was high, the severity measured by number of potentially affected individuals was relatively low (fewer than 500 individuals per incident on average),” the report explained. “And the data that yielded the low average number of affected individuals for healthcare incidents included a couple of healthcare incidents that involved notification to millions of individuals.”

Researchers found that out of the healthcare-related events, 34 percent were caused by employee action or error and only 15 percent by phishing, hacking, or malware attacks.

Across all industries in the study, the most data security incidents (31 percent) were caused by phishing, hacking, or malware attacks. Employee action or mistake was the second leading cause of data breaches at 24 percent overall.

Human error was the leading cause of data breaches, according to last year’s study

(http://healthitsecurity.com/news/human-error-top-data-security-issue-says-law-firm-report). Healthcare organizations are unique compared to other companies in the study because there is a higher risk of oral disclosure or paper record misuse. It is easier for a human error to occur in these cases.

Researchers went on to analyze the data security event timeline from detection to notification. On average, it took 69 days to detect the incident, seven days to contain it, 43 days to analyze what happened, and 40 days to notify potentially affected individuals.

The report revealed that the healthcare industry took nearly twice as long to detect a breach in data security. It took healthcare providers an average of 114 days to discover the occurrence. When it became time to respond to the potential data security breach, healthcare organizations did not have adequate incident response plans, the report stated.

The report suggested that companies complete a forensic investigation to analyze the incident, but healthcare entities only used this strategy in 13 percent of the events studied.

Healthcare organizations found it more difficult than other industries to analyze data security because more data breaches are caused by oral disclosures, paper records, and other accidental disclosures. Forensic investigation cannot analyze these events.

According to the report, healthcare organizations are also likely to be investigated for health data

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

breaches.

The Department of Health and Human Services Office of Civil Rights (OCR) was highly likely to investigate all incidents that involved 500 or more individuals, the report explains.

OCR initiated an investigation 57 percent of the time with Baker Hostetler’s clients in 2015. “Healthcare organizations should not underestimate the importance of their response during an investigation, and work with experienced outside counsel just as the organization does when litigation arises,” the report states. “Too many organizations focus solely on notification requirements during the incident response. It is critical to embark on a parallel track of preparing to respond to an OCR investigation by undertaking corrective action that may justify closing an investigation quickly.”

The report indicates that healthcare organizations are not properly equipped to detect, analyze, and respond to healthcare data security breaches. Healthcare entities need to focus on being prepared for the upcoming attack.

“The bottom line is that the key to successful and rapid containment is to plan for the inevitable incident. Companies that have identified the forensic firm they will work with, have a master services agreement in place, and have conducted scenario planning usually reach containment faster and with less impact to business operations and reputation,” Theodore Kobus, Leader of Baker Hostetler’s Privacy and Data Protection team, said in a press release (http://bakerlaw.com/press/bakerhostetler-data-security-incident-response-report-reveals-being-compromise-ready-better-positions-companies-to-respond-to-incidents).

Image Credit: Baker Hostetler

Tagged Cybersecurity in Healthcare (http://healthitsecurity.com/tag/cybersecurity-in-healthcare), Healthcare Data Breach (http://healthitsecurity.com/tag/healthcare-data-breach), Healthcare Data Security (http://healthitsecurity.com /tag/healthcare-data-security)

Submit

IDC Technology Spotlight: Advanced Network Security to Protect against Cyberthreats

(http://healthitsecurity.com/resources/white-papers/idc-technology-spotlight-advanced-network-security-to-protect-against-cyber)

IDC Technology Spotlight: Protect Patient Data from the Inside Out (http://healthitsecurity.com /resources/white-papers/idc-technology-spotlight-protect-patient-data-from-the-inside-out) The C-Suite Battle Plan for Cyber Security Attacks in Healthcare (http://healthitsecurity.com /resources/white-papers/the-c-suite-battle-plan-for-cyber-security-attacks-in-healthcare1) Webcast: Why Data Awareness and Protection Matters More Than Ever to Healthcare

(http://healthitsecurity.com/resources/webcasts/why-data-awareness-and-protection-matters-more-than-ever-to-healthcare)

Webcast: Why Most Healthcare Breaches Involve Phishing Attacks and How to Prevent Them

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

(http://healthitsecurity.com/resources/webcasts/why-most-healthcare-breaches-involve-phishing-attacks-and-how-to-prevent-th) [EHRIntelligence] CMS Requests Feedback on New eCQMs for Inpatient Hospitals (https://ehrintelligence.com /news/cms- requests-feedback- on-new-ecqms- for-inpatient-hospitals) [HealthITAnalytics] mHealth Messages Improve Diabetes Chronic Disease Management (http://healthitanalytics.com /news/mhealth- messages-improve- diabetes-chronic- disease-management) [RevCycleIntelligence] CMS Extends Application Period for Next Generation

ACO Model (http://revcycleintelligence.com /news/cms- extends- application-period- for-next- generation-aco-model) [HealthPayerIntelligence] Proposed Rule in Oklahoma Impacts Costs of Prescription Drugs (http://healthpayerintelligence.c /news/proposed- rule-in-oklahoma- impacts-costs- of-prescription-drugs)

Health IT Security (Twice Weekly) IT Infrastructure (Weekly)

mHealth & Telehealth (Weekly) Interoperability (Weekly) Health Analytics (Twice Weekly) Revenue Cycle (Twice Weekly)

view our privacy policy (/privacy-policy)

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

About Us (http://healthitsecurity.com/about-us) Contact Us (http://healthitsecurity.com

(http://www.xtelligentmedia.com)

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)

/contact-us)

Advertise on HealthITSecurity (http://healthitsecurity.com/advertise) Privacy Policy (http://healthitsecurity.com /privacy-policy)

DMCA Policy (http://healthitsecurity.com/dmca-policy)

Terms & Condition (http://healthitsecurity.com /terms-condition) Sitemap (http://healthitsecurity.com /sitemap.html) EHRIntelligence.com (https://ehrintelligence.com) HealthITAnalytics.com (http://healthitanalytics.com) RevCycleIntelligence.com (http://revcycleintelligence.com) mHealthIntelligence.com (http://mhealthintelligence.com) HealthITInteroperability.com (http://healthitinteroperability.com) HealthPayerIntelligence.com (http://healthpayerintelligence.com) HITInfrastructure.com (http://hitinfrastructure.com) PatientEngagementHIT.com (http://patientengagementhit.com)

©2012-2016 Xtelligent Media, LLC. All rights reserved. HealthITSecurity.com is published by Xtelligent Media, LLC

Senator Urges HHS to Create Healthcare Cybersecurity Law (http://healthitsecurity.com /news/senator-urges-hhs-to-create-healthcare-cybersecurity-law)