MEGAN CHENEY—Following the massive Equifax data breach, industries are feeling the ripple effects of shock and large-scale consumer frustration over a perceived lack of data security. Among those shifting uncomfortably in their seats are healthcare organizations, whose data is even more lucrative to cyber criminals than credit information.
The morning after your healthcare information is hacked, you may receive an email similar to the one patients of Cleveland Medical Associates in Tennessee received earlier this year:
Dear Patient:
On the night of April 21, 2017, Cleveland Medical Associates discovered that, the evening before, its computer network had been impacted by ransomware, a type of computer virus that locks up, or encrypts, information and demands that a payment be made in order to unlock, or decrypt, the information.
Ransomware attacks like the Cleveland Medical Associates breach hold information systems hostage and lock out users, endangering lives by blocking access to patient files. Breach events affect patients’ protected health information, a profitable target for cyber criminals. Your PHI encompasses the individually identifiable health information that your healthcare provider has about you, including your Social Security number, credit card information, and personal details about medical conditions or insurance coverage, all of which make it easier to assume your identity.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) govern the actions that healthcare organizations must take before and after a data breach. HIPAA set the regulatory framework for the protection of PHI, and the HITECH Act amended it to require public breach notification reporting.
Among HIPAA’s updated provisions are a Security Rule and a Breach Notification Rule. The Security Rule demands that HIPAA-covered entities and their business associates develop and implement security measures to protect PHI. The Breach Notification Rule requires HIPAA-covered entities to notify patients and consumers when data is breached. For breaches affecting 500 persons or more, HIPAA-covered entities must provide notice to all of those affected within sixty days, notify the Secretary of the Department of Health and Human Services, and, depending on the circumstances, notify prominent news outlets in impacted areas.
Attacks by third parties including hacking, ransomware, and malware events make up fewer than two percent of all PHI data breaches, but they tend to be large-scale events. Two of the three biggest data breaches of 2017 were attacks by third parties, collectively affecting more than 800,00 patients. Not only do external attacks leave healthcare organizations vulnerable to data breaches, but uninformed staff who fall prey to phishing scams or internal staff who access and steal secured information are major sources of PHI data breaches. The largest PHI breach in 2017 so far occurred when a former employee abused access privileges and improperly accessed the billing information of 700,000 patients.
Even with the strict reporting guidelines prescribed by HIPAA, patients affected by a breach are largely left on their own to ensure that their identities are not stolen. Patients are able to do little more than place a security freeze on their credit or utilize credit watch services. Those affected by the Cleveland Medical Associates breach were offered one free year of Equifax’s credit services and instructions to “remain vigilant” about reviewing their personal financial statements.
There is no single solution to addressing PHI data breaches, but there are a few key measures HIPAA-covered entities can take to prevent and address breaches. Continually improving cybersecurity systems and embracing anti-theft tactics like encryption and multifactor authentication are important steps in protecting PHI. Additionally, improving lines of communication between organizations and offering training contribute towards identifying breaches earlier and faster. Patients concerned about their provider’s security can check the “Wall of Shame,” a list of organizations that have experienced data breaches or speak up and ask about what measures their providers have in place to prevent a breach.
While there is no way to eliminate the risk of PHI data breaches, healthcare organizations can mitigate the risk. HIPAA and HITECH go a long way in transparency and outlining basic security requirements, but it is on healthcare organizations and their business associates to remain proactive in meeting the challenges posed by modern cybersecurity threats.