A review of the data on the OCR Breach Portal indicates that only about 20 percent of healthcare data breaches through 2017 are the result of hacking, but they involve large numbers of records.1 Unfortunately, the healthcare industry also has more data breaches than any other industry.2 There are various reasons for this. We describe some of those here and offer recommendations for preventing HIPAA data breaches caused by criminal hackers.
Stringent Disclosure Requirements in Healthcare
The healthcare industry is subject to more stringent breach disclosure requirements than are most other industries due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
High Value of Medical Records and Low Risk for Criminals
Electronic health records are a more attractive target to criminal hackers due to the greater potential financial gain and less risk relative to obtaining other types of information.2 Electronic health records are far more valuable on the black market than credit card information. They are more valuable in part because they contain more information (e.g., health insurance policy information and drug prescription information, which have various uses independently and in combination with the other common information in health records). Additionally, patients are less likely to notice their PHI is being misused than they are to notice unauthorized charges on their credit card, which usually results in closing an account and significantly diminishing the value of the stolen information. Patients can’t close their health records and start over. The information can be used indefinitely.3
Less Sophisticated Cybersecurity in Healthcare
Finally, healthcare entities are often easier to hack into than financial institutions and retailers because electronic record keeping is relatively new to the healthcare industry and fraud is frequently not treated with the same priority as it is in financial or retail institutions. This has resulted in less sophistication in data security tools and strategies used among healthcare providers.4
Hackers can strike anywhere. They access PHI through various avenues, including email servers, EHR systems, network servers and portable devices connected to various servers. The HHS website reports hacking incidents affecting numerous healthcare entities, from solo practice physicians to university hospitals to nationwide health insurers. Hackers, when they can be identified, range from disgruntled employees attempting to divert patients to competitors to sophisticated offshore hacking rings that presumably steal health data to sell on the black market.5
Just like laptop or cellphone theft, hacking seems inevitable. The most sophisticated perimeter defense (programs to keep hackers out of the system, e.g., firewalls) is unlikely to completely prevent hackers from getting into data systems. Data security experts advocate for increased efforts in deterring hackers from extracting data from systems they have accessed or have attempted to access.
One way to accomplish this objective is by applying security controls at various layers, such as implementing intrusion prevention software at the network perimeter, in addition to deploying monitoring software inside the perimeter that is designed to alert on anomalous PHI access attempts. A third layer and example would be applying encryption to all PHI, thus reducing the risk of exposure if other efforts are thwarted and the PHI is extracted.
Medical Liability Risk Management Recommendations — Cybersecurity
The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) has a wealth of resources targeting specific cybersecurity challenges in the public and private sectors. These practical, user-friendly guides can help your practice facilitate the adoption of standards-based approaches to cybersecurity. The publications with specific applicability to healthcare are:
- 1800-1 Securing Electronic Health Records on Mobile Devices
- 1800-3 Attribute Based Access Control
- 1800-4 Mobile Device Security: Cloud and Hybrid Builds
- 1800-6 Domain Name System-Based Electronic Mail Security
- 1800-8 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
- 1800-11 Data Integrity: Recovering from Ransomware and Other Destructive Events
You might also consider the following recommendations:2,5,6,7
- Invest in up-to-date data loss prevention (DLP) technology.
- Train employees on data security practices and awareness.
- Perform suspicious email training exercises to help employees identify potentially nefarious emails.
- Regularly monitor networks and databases for unusual traffic.
- Develop risk assessments and incident response plans for irregular server activity.
- Consider designating staff to carry out security monitoring.
- Ensure that your sensitive data is backed up regularly in case of a ransomware attack or system failure that causes loss of data.
- Protect your most critical digital assets by segregating them and prioritizing them in your business continuity plan.
- Inoculate yourself by encrypting sensitive data and enabling password protection and remote erasing capabilities on all devices containing sensitive data to secure data in case of device loss or theft.
- Implement email security software that guards against email fraud, impostor email, phishing, malware and spam.
- Enable network and device firewalls.
- Keep all operating systems and software up-to-date with the latest security patches, especially highly targeted software like Microsoft Office apps.
More Information About Preventing HIPAA Data Breaches
- Overview: Preventing HIPAA Data Breaches: Case Studies and Best Practices
- Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
- Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
- Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
- Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
- Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach
Additional Resources for Policyholders
Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.
Information and Network Security Coverage
Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.
1. U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” (accessed 5/14/2018)
2. Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/14/2018)
3. Wild D. “Experts: Be Prepared for EHR Breaches.” Pain Medicine News. April 2015;20(4). (accessed 5/14/2018)
4. Humer C, Finkle J. “Your Medical Record is Worth More to Hackers than Your Credit Card.” Reuters. September 24, 2014. Available at: www.reuters.com/article/2014/09/24/us-cybersecurityhospitals-idUSKCN0HJ21I20140924 (accessed 5/14/2018)
5. Federal Register Volume 78, Number 17 (Friday, January 25, 2013), Page 5656. (accessed 5/14/2018)
6. Intel. “Grand Theft Data — Data Exfiltration Study: Actors, Tactics, and Detection.” 2015. (accessed 5/14/2018)
7. Manos, Diana. “5 Ways to Avoid Health Data Breaches.” Healthcare IT News. February 19, 2014. (accessed 5/14/2018)
Additional Linked Sources
National Institute of Standards and Technology (NIST). Computer Security Resource Center (CSRC). (accessed 5/14/2018)
- “Securing Electronic Health Records on Mobile Devices.” SP 1800-1 (Draft). July 28, 2015. (accessed 6/5/2018)
- “Attribute Based Access Control.” SP 1800-3 (2nd Draft). September 20, 2017. (accessed 6/5/2018)
- “Mobile Device Security: Cloud and Hybrid Builds.” SP 1800-4 (Draft). November 02, 2015. (accessed 6/5/2018)
- “Domain Name System-Based Electronic Mail Security.” SP 1800-6 (Final). January 19, 2018. (accessed 6/5/2018)
- “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.” SP 1800-8 (Draft). May 08, 2017. (accessed 6/5/2018)
- “Data Integrity: Recovering from Ransomware and Other Destructive Events.” SP 1800-11 (Draft). September 06, 2017. (accessed 6/5/2018)