Contact Us: 844-466-7225

Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers

June 14, 2018

A review of the data on the OCR Breach Portal indicates that only about 20 percent of healthcare data breaches through 2017 are the result of hacking, but they involve large numbers of records.1 Unfortunately, the healthcare industry also has more data breaches than any other industry.2 There are various reasons for this. We describe some of those here and offer recommendations for preventing HIPAA data breaches caused by criminal hackers.

For an explanation of HIPAA terms and more information about HIPAA data breaches in general, see the NORCAL Knowledge Library article, “Preventing HIPAA Data Breaches: Case Studies and Best Practices.”

Stringent Disclosure Requirements in Healthcare

The healthcare industry is subject to more stringent breach disclosure requirements than are most other industries due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

High Value of Medical Records and Low Risk for Criminals

Electronic health records are a more attractive target to criminal hackers due to the greater potential financial gain and less risk relative to obtaining other types of information.2 Electronic health records are far more valuable on the black market than credit card information. They are more valuable in part because they contain more information (e.g., health insurance policy information and drug prescription information, which have various uses independently and in combination with the other common information in health records). Additionally, patients are less likely to notice their PHI is being misused than they are to notice unauthorized charges on their credit card, which usually results in closing an account and significantly diminishing the value of the stolen information. Patients can’t close their health records and start over. The information can be used indefinitely.3

Less Sophisticated Cybersecurity in Healthcare

Finally, healthcare entities are often easier to hack into than financial institutions and retailers because electronic record keeping is relatively new to the healthcare industry and fraud is frequently not treated with the same priority as it is in financial or retail institutions. This has resulted in less sophistication in data security tools and strategies used among healthcare providers.4

Hackers can strike anywhere. They access PHI through various avenues, including email servers, EHR systems, network servers and portable devices connected to various servers. The HHS website reports hacking incidents affecting numerous healthcare entities, from solo practice physicians to university hospitals to nationwide health insurers. Hackers, when they can be identified, range from disgruntled employees attempting to divert patients to competitors to sophisticated offshore hacking rings that presumably steal health data to sell on the black market.5

Just like laptop or cellphone theft, hacking seems inevitable. The most sophisticated perimeter defense (programs to keep hackers out of the system, e.g., firewalls) is unlikely to completely prevent hackers from getting into data systems. Data security experts advocate for increased efforts in deterring hackers from extracting data from systems they have accessed or have attempted to access.

One way to accomplish this objective is by applying security controls at various layers, such as implementing intrusion prevention software at the network perimeter, in addition to deploying monitoring software inside the perimeter that is designed to alert on anomalous PHI access attempts. A third layer and example would be applying encryption to all PHI, thus reducing the risk of exposure if other efforts are thwarted and the PHI is extracted.

Medical Liability Risk Management Recommendations — Cybersecurity

The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) has a wealth of resources targeting specific cybersecurity challenges in the public and private sectors. These practical, user-friendly guides can help your practice facilitate the adoption of standards-based approaches to cybersecurity. The publications with specific applicability to healthcare are:

You might also consider the following recommendations:2,5,6,7

  • Invest in up-to-date data loss prevention (DLP) technology.
  • Train employees on data security practices and awareness.
  • Perform suspicious email training exercises to help employees identify potentially nefarious emails.
  • Regularly monitor networks and databases for unusual traffic.
  • Develop risk assessments and incident response plans for irregular server activity.
    • Consider designating staff to carry out security monitoring.
  • Ensure that your sensitive data is backed up regularly in case of a ransomware attack or system failure that causes loss of data.
  • Protect your most critical digital assets by segregating them and prioritizing them in your business continuity plan.
  • Inoculate yourself by encrypting sensitive data and enabling password protection and remote erasing capabilities on all devices containing sensitive data to secure data in case of device loss or theft.
  • Implement email security software that guards against email fraud, impostor email, phishing, malware and spam.
  • Enable network and device firewalls.
  • Keep all operating systems and software up-to-date with the latest security patches, especially highly targeted software like Microsoft Office apps.

More Information About Preventing HIPAA Data Breaches

Additional Resources for Policyholders

Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.

Information and Network Security Coverage

Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.

This content from Claims Rx


1. U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” (accessed 5/14/2018)

2. Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/14/2018)

3. Wild D. “Experts: Be Prepared for EHR Breaches.” Pain Medicine News. April 2015;20(4). (accessed 5/14/2018)

4. Humer C, Finkle J. “Your Medical Record is Worth More to Hackers than Your Credit Card.” Reuters. September 24, 2014. Available at: (accessed 5/14/2018)

5. Federal Register Volume 78, Number 17 (Friday, January 25, 2013), Page 5656. (accessed 5/14/2018)

6. Intel. “Grand Theft Data — Data Exfiltration Study: Actors, Tactics, and Detection.” 2015. (accessed 5/14/2018)

7. Manos, Diana. “5 Ways to Avoid Health Data Breaches.” Healthcare IT News. February 19, 2014. (accessed 5/14/2018)

Additional Linked Sources

National Institute of Standards and Technology (NIST). Computer Security Resource Center (CSRC). (accessed 5/14/2018)

Filed under: Digital Health, Privacy & HIPAA, Cybersecurity, Best Practices, Practice Manager, Information Security



Interested in NORCAL Group?

Contact Your Agent/Broker or call 844.4NORCAL today