Cybersecurity in 2018 needs to become a top priority. In 2017, the WannaCry outbreak brought serious attention to security in the health care industries. Lack of knowledge, funds & outdated systems continue to leave the medical community open to breaches and malicious attacks. In 2015, the medical & health care industries faced a number of cyberattacks that were greater than in any previous year. IBM reported that close to 100 million records were compromised. Personal medical records now sell for a premium over credit cards on the “dark web,” making it likely that 2018 will see an even greater number of cyberattacks on medical providers, systems & devices.
The Surge in Medical Data Theft in 2015.
There was an alarming trend in medical data theft in 2015. To take just a few examples:
- According to IBM’s Security Intelligence blog, there was “a1166% increase in reported health care records breached from 2014 to 2015.” IBM further reports “that in the first 10 months of 2015, healthcare ranked #1 in terms of compromised records; with nearly 34% of all records compromised across all industries.”
- An August 2015 KPMG survey reported that “81% of health care executives say that their orgs have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks.”
- High profile data breaches in 2015 included attacks on health insurer Anthem, Inc., exposing up to 78.8 million customers’ records, and Premera Blue Cross, exposing up to 11 million customers’ records.
- Attackers aren’t just focused on major insurers or hospitals, look at the US Department of Health and Human Services’ Office of Civil Rights breach portal, which lists breaches of protected health information affecting more than 500 individuals. Reported breach victims include numerous individual physicians and community medical practices, with the most recent reported breach on Dec. 18, 2015.
The cybersecurity outlook for 2018 doesn’t seem much better. Computerworld recently reported that, according to an IDC analysis, “1-in-3 consumers will have their healthcare records compromised by cyberattacks in 2016” because of “a legacy of lackluster electronic security in healthcare and an increase in the amount of online patient data.”
Why Do Hackers Want Medical Records?
Medical records can provide hackers with a multitude of permanent identity information, including social security numbers, dates of birth, addresses and credit card numbers, which can be used to file fraudulent medical claims and drug prescriptions, and for identity theft.
This information can also be used to blackmail patients and to create targeted “phishing” attacks. Typically an email contains a generic message designed to induce the receipt to open a link or download a file that, unbeknownst to the recipient, installs malware potentially allowing hackers accessing to the target’s computer.
Further increasing their value, medical records contain information that is difficult to quickly change, unlike credit cards, which banks can cancel or reset. Similar to the information that was compromised in 2017 with the equifax breach of over 143 Million americans private credit information which contains highly sensitive information like Social security numbers, previous addresses & employers – data that is static.
Lawsuits, Government Action due to HIPAA as Breach Consequences.
Should your practice suffer a data breach, the legal consequences can range in scope, up to and including lawsuits, fines, or other government actions. This is often mandated by HIPAA compliance regulations.
Data breaches can also subject medical providers or insurers to lawsuits, whether class action or individual, based on allegations of negligence, breach of contract, and breach of various state data breach and consumer protection statutes. Class action lawsuits against Anthem and Premera, based on the breaches mentioned above, are ongoing.
Breaches can also subject medical providers to fines of to $1.5 million from the Department of Health and Human Services in addition to fines from various state regulators due to HIPAA regulations.
What You Can Do to Improve Cybersecurity?
Given the threats to medical data – and the potential consequences of a breach – what can health care providers do to minimize the risk of a breach? Below are a few suggestions to improve cybersecurity practices going into 2018:
- Educate yourself: The government provides a variety of resources on cybersecurity best practices. Resources include tips and training videos at https://www.healthit.gov/providers-professionals/cybersecurity-shared-responsibility; and recommendations for complying with HIPAA’s “Security Rule” governing the storage of electronic protected health information (45 CFR Part 160 and Subparts A and C of Part 164) at http://www.hhs.gov/hipaa/for-professionals/security/index.html.
- Ensure employees are properly trained on cybersecurity protocols, and then test that training. For example, some employers send fake “phishing” emails to employees to test their propensity for falling for this increasingly common hacking technique.
- Even if your cybersecurity practices are top-notch, you may still be vulnerable to losing data through a compromised vendor. Ensure that any vendor with access to medical health records adheres to cybersecurity best practices and signs the required business associate agreement required by the federal law under HIPAA.
- Consider assigning someone within your practice to be responsible for cybersecurity, including staying abreast of the latest government recommendations. Or consider outsourcing your CISO duties to a third party that’s knowledgable in HIPAA compliance and cybersecurity (like us!)
- If you have a data breach, what do you do? How quickly must you notify your patients? What can you do to mitigate the damage? Having a disaster recovery plan in place, and trusted advisors to consult with, before a breach can make your post-breach response much more effective.
- Given the complexities of federal and state laws that govern protected health information and patient privacy (including HIPAA), engaging lawyers and HIPAA consultants to audit and then help implement all necessary requirements as well as monitor ongoing compliance is highly recommended.
- http://www-01.ibm.com/common/ssi/cgibin/ssialias?subtype=WH&infotype=SA&htmlfid=SEL03048USEN&attachment=SEL03048USEN.PDF (emphasis added)
-  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
-  http://www.pressherald.com/2015/02/12/companies-send-fake-phishing-emails-to-test-security/