The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI). With good intentions, HIPAA set forth to provide both security provisions and data privacy for client information. The legislation was passed in the age of paper records, a time requiring much different security measures than what we see today.
25 years later, the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen a regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.
The Digital Age
Today, the convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.
Unfortunately, digital medical records do pose some major risks, and HIPAA has made minimal progress when it comes to addressing them.
Hackers Exploiting Healthcare
According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. Why are hackers setting their sights on healthcare organizations? There are several reasons:
- PHI yields high profits on the dark web. Credit card information can quickly become worthless to cybercriminals, but PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something the affected individual can easily change, like a birth date for example.
- The healthcare industry historically underinvests in IT security and training. Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.
- One attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.
Acknowledging the Cybersecurity Problem
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t ignored the issue at hand. In December 2018, HHS issued cybersecurity guidelines for the healthcare sector in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.
In addition to the cybersecurity issues plaguing healthcare, protecting consumer data has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.
How Do We Fix This?
- Take a look around. It is critical for both Covered Entities and Business Associates to take a closer look at the patient data they are protecting. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
- Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
- Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
Technology will continue to advance, and hackers will continue to do the same to ensure their skill set matches the need necessary to exploit these ever-evolving devices and systems. It is up to us to ensure that we continue to evolve our cybersecurity practices. Contact our experts to learn how you can improve your organization’s cybersecurity.