Health care systems are eager to adapt to newer technology and widespread network options, all in the name of giving patients the best possible care. However, this comes with a price: more outlets for hackers to breach valuable data.
Although data breaches in the retail and banking sectors have received massive coverage, the health care sector has not received the same kind of attention.
Consider that in 2017:
- There were 477 health care breaches reported to the U.S. Department of Health and Human Services or the media (nearly 5.6 million patient records were affected).
- Augusta University Medical Center was hit with two phishing attacks,
- A UC Davis Health employee’s choice to respond to a phishing email with login credentials compromised health information for nearly 15,000 patients.
As technology evolves, so do hackers. In 2015, insurance group Anthem suffered what was believed to be the largest breach of a health care company to date: more than 37 million patient records —including names, Social Security numbers, birthdays, addresses, email and employment information, and income data — were exposed.
Medical data is big business as records can fetch top dollar on the black market — up to $500 per patient. The information in stolen medical records is used to buy medical equipment or drugs — either of which can be resold — or to file bogus claims with insurers. Further, medical records lack the kinds of safeguards as credit cards or banking materials as they cannot be canceled.
Whether used in a secure or open location, mobile devices such as smartphones and tablets can offer hackers backdoor access to a medical group’s network. Medical devices that use the internet, network, or Bluetooth connectivity have proven revolutionary for the health care industry, but because they may not have been network-ready originally, they do not have the kinds of security protections to ward off hackers.
Further, a rise in health care service consolidation through mergers and acquisitions means more medical records are being moved around, shared and reviewed — sometimes on “legacy” systems that were never designed or intended for digitization — offering ripe moments for hackers to seize them.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was published on February 20, 2003. The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their EPHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services (HHS) and issue a notice to the media if the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported using the Office for Civil Rights’ (OCR) web portal (the OCR only requires these reports to be made annually). Breach notifications should include the following information:
- The nature of the EPHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the EPHI or to whom the disclosure was made (if known).
- Whether the EPHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
Breach notifications must be made without unreasonable delay (in no case later than 60 days following the discovery of a breach). The covered entity must inform the individual of the steps taken to protect from potential harm, including a description of the efforts to investigate the breach and the actions taken to prevent further breaches and security incidents.
However, compliance is not enough. HIPAA incentivizes health care providers to adopt secure networks by imposing large fines on providers who suffer breaches of protected health information due to a cyber attack. The cost and consequences of a breach fall on the entity, rather than the attacker. Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million for violations of HIPAA’s Privacy and Security Rules. In addition to massive fines and penalties for violations, the settlement process and implementation of a corrective action plan are extremely costly, time-consuming, and stressful.
How can the health care industry protect itself?:
- Vendors should install security patches on a more widespread basis for machines that record data such as CT scanners.
- Old or unpatched operating systems should be upgraded so that medical facilities are less vulnerable to attacks.
- Networks should be segmented, or divided into subnetworks, to make them more secure.
- Health care groups must implement bring-your-own-device policies — such as allowed/banned apps and acceptable-use rules — for mobile devices like smartphones and tablets.
- Increase employee training to reduce the concern that employee negligence will contribute to or result in a security breach.
- Data should be backed-up regularly, encrypted, and safeguarded with multi-factor authentication.