The healthcare hacks continue and the reasons are obvious, but the headlines will only continue to come, unfortunately. In what has become commonplace in healthcare, several organizations announced in August that they had been or were likely breached. Here’s some detail, and some background on why we’ll continue to see these crimes occur.
Several reports point to a hack of a server at Orleans Medical Clinic in Massachusetts. According to one report, in mid-April 2016 the Orleans Medical IT team discovered suspicious activity on one of its computer servers, the clinic said in a statement, and after following up, they discovered that EHR data had been left unsecured on the server after the server had been upgraded. Apparently, hackers had access to the information from April 5 through April 17, and 6,890 people may be affected.
“While our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual's information, it would have been possible for the hackers to access and obtain patient information about all of our current and former patients, including medical records and demographic information, such as date of birth and Social Security number,” Orleans Medical stated.
There’s the rub. It’s no secret that hackers want this information, which health records are ripe with. They contain personal information, addresses of the patient and SSNs. As InfoWorld reports, “Financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. Most forums for such data have a high enough surplus of stolen payment cards that they have fire sales. But information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can't easily be canceled, and medical and prescription records are permanent. There's also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums.”
In a separate security event than the one detailed above, the Carle Foundation, in Illinois, said some of its patient information was made viewable online because of a vendor. Apparently, a vendor had placed files containing patient information on a Carle file server, potentially making the files viewable to those who had access to the server via the internet. Social Security numbers and financial information were not included, but patient names, dates of service, reasons for visit, names of physicians and diagnosis and treatment codes.
Every one of us is vulnerable to these breaches and we put a good deal of the control in the hands of the organizations assigned to protect the data, in some cases, business associates that have less of a relationship with us as patients than the care organization.
The FBI said recently criminals can sell health care information for as much as $50 a record. All of this has come to light in the last two years or so since the gigantic Anthem breach affecting 78 million people in 2015. The real issue remains that demand is high. Since 2009, hackers have stolen the records of more than 120 million people, including the aforementioned Anthem breach and the Premera Blue Cross case of 11 million people.
But what can be done to keep breaches at bay? Medical Practice Insider suggests performing a risk assessment of where the practices stands from a security standpoint. Are you understaffed? What are your reporting metrics, controls, policies, and processes? Do you have executive support for security budgeting? Look at compliance frameworks to drive security decisions.
Next, review your vendors and customer agreement annually. Identify who is a covered entity and business associate relationships. Then, “assign responsibility for compliance management. If you suffer a breach, the regulatory fines can hurt even more than the lost records -- up to $50,000 per record lost. Ensure someone within your organization fills an InfoSec role, and make a separate security official responsible for the development and implementation of HIPAA policies.”
Another important element is providing security training for those responsible for security. Hold security awareness training. The ones responsible for security within your organization must thoroughly understand applicable compliance structures, such as HIPAA. Finally, establish a security framework that creates a sustainable, effective network of security checks and procedures, including security governance and policy, operations, monitoring and reporting and security optimization.
“The process at each step will vary depending on the size, structure, and maturity of your organization. However, at minimum, your business should employ end-to-end encryption and robust network monitoring software to deter and detect a breach,” site reports.
Doing so should ensure security of the practice and putting in place a framework through threat intelligence by “preparing, protecting, integrating, detecting and responding to potential and present threats as they arise.”