While data security breaches at big healthcare organizations capture most of the media attention, small medical practices are actually more vulnerable to data losses and theft, according to a Kroll Fraud Solutions report cited in American Medical News.
Many small practices are using outdated technology to protect themselves, Kroll said. Some physicians don’t even encrypt their data or don’t do it properly.
In an interview with AM News, Beth Givens, founder and director of the Privacy Rights Clearinghouse, said “it stands to reason” that data thieves would be more likely to go after small practices than healthcare organizations that have invested a lot of money in security systems.
Hackers like healthcare data because it includes sensitive medical information, financial data and personal identification numbers. A Verizon report published last summer said that theft of medical records was on the rise and that small practices tended to be targeted because of their lack of sophistication.
However, the number of small practices that have actually experienced this kind of attack is hard to determine. The AM News article said that a query of the data breach databases of the Privacy Rights Clearinghouse and the Department of Health and Human Services (HHS) showed “dozens” of small practices had been hacked into. Clearly, that’s just the tip of the iceberg.
Physicians’ widespread use of mobile devices has added another wrinkle to the security environment. A recent Ponemon Institute study indicated that 52 percent of healthcare data losses stemmed from the theft or loss of computing devices such as tablets, laptops and smartphones. An HHS report in early 2011, similarly, found that security breaches involving the theft or loss of mobile devices accounted for 44 percent of all incidents and 65 percent of all records breached.
Of course, encryption could prevent medical records on missing laptops or tablets from being compromised. And the use of cloud-based EHRs could eliminate the need for any clinical data to be stored on a mobile device. Nevertheless, physicians in small practices need to be aware that they, too, must adopt strong security procedures in an era when data is easier to steal-and more ubiquitous–than ever.