Significance of Medical Data Breaches – Steps Healthcare Institutions Must Take
By Arman Sadeghi, Founder, All Green Electronics Recycling
According to the Brookings Institution, from late 2009 up to present times, the cost of breaches in the healthcare industry has reached $363 per record. Further, over 155 million Americans have had their medical information compromised by way of 1,500 data infractions. Interestingly, the medical care industry is the most vulnerable of all arenas. As reports by Accenture reveal, hospitals are likely to incur losses worth $305 billion over the next few years thanks to cyber crime.
What Makes the Healthcare Industry So Vulnerable?
The susceptibility of the healthcare industry to cyber crime is linked to government regulations, as the Brookings Institution reports. These laws require all medical institutions to maintain electronic health records (EHR) and other practices in compliance with the Patient Protection and Affordable Act (Obamacare). However, all such institutions may not have the necessary resources needed for allocating to the security of the records they maintain.
As Lisa Gallagher, previously vice president of technical solutions and senior director of cyber security at the Healthcare Information and Management Systems Society (HIMSS) in Chicago reveals, “Enterprises with legacy systems are trying to connect to and integrate EHRs. Security is not always considered as a part of that, and patching systems is always fraught with peril. You’re always behind.”
Even as determined hackers are using various sophisticated techniques to break into patient data, more advanced methods are needed to secure the information. This factor becomes all the more vital since hospitals need to store valuable and detailed patient data for long periods.
Yet another factor that makes hospitals open to potential attacks is that hackers also target medical insurance companies and third-party vendors that provide peripheral services to the industry. In an attempt to provide efficient and low-cost services to their patients, medical institutions are increasingly relying on third party vendors raising the risk factor.
Further, when institutions like banks become aware that a data breach has occurred, they only need to change passwords and other access information. However, medical records and personal information once accessed cannot be recalled or changed in any way.
With 9% of Hacking Incidents Aimed at Patient Information, Your Data is At Risk
The records that medical institutions store include various patient details such as Social Security Numbers, previous health records, home address, email addresses, NHS number, results of medical diagnostic tests, and ethnic origin, among others. The time period for which the records are stored and the extensive information in them directly affect their vulnerability to data theft and the possible severity of the ramifications in case cyber criminals gain access to them.
As Dr.Vincent Liu, head author and a scientist at Kaiser Permanente’s research facility in Oakland, California says, “Hackings doubled from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records.”
Hackers getting access to this information can sell the details for large sums through illegal portals. In fact, a report on Reuters reveals that medical information may sell for a value 10 times more than a credit card number. Cyber thieves may also use patient data to extract ransom from hospitals and other healthcare institutions. In place of known currency, they may demand payment in the form of non-traceable bitcoins. Buying expensive drugs and equipment and claiming insurance using fake IDs are only the few of the other crimes committed using medical information.
How Healthcare Institutions Can Prevent Patient Information Theft
Cyber crime experts reveal that hospitals can take several steps to protect the patient information they store.
To begin with, it is highly essential to educate patients and hospital employees about the dangers of phishing and to be cautious when opening emails or clicking on links. Patients should carefully check all documents they receive including medical care bills and any communication sent by insurance companies.
Aside from these sources of information breaches, computer pen drives and other stolen electronic devices like laptops containing hard drives with sensitive information may also be the tools that cyber criminals use. Here are some of the steps hospitals can take for cyber security.
- Hospitals need to train employees and all personnel in their organization who may have access to the equipment that stores sensitive data. All employees should be aware of HIPAA regulations and mandatory patient privacy regulations when providing care.
- Medical institutions must conduct detailed analyses and audits of their digital systems for evaluation for possible data breach vulnerability. According to HIPAA regulations, this audit must be conducted at least once in 12 months.
- Healthcare organizations must hold their third-party vendors accountable for the security of the patient information they share with them. They can ensure this safety by way of detailed business associate contracts.
- Hospitals can install certified IT system security software that can quickly identify any indications of breaches from international origins also. Not allowing access to the organization’s network through a sub network may work on local hackers only.
- Hospitals and clinics must use separate wireless providers for the staff handling patient information and any other users on the premises.
- All institutions including insurance companies, medical institutions, and third-party vendors storing and handling sensitive patient data should create backups of all files offline in a secure manner. In case of any data breaches, they can use the saved backups to restore the information.
- Hospitals and other organizations must work with certified companies to dispose of all their electronic media responsibly in accordance with HIPAA laws and regulations. By working with expert companies, they can ensure that all hard drives and other storage media are properly shredded and later, dispatched to recycling plants for melting down to their alloy state. Such professionals also provide a detailed list of the serial numbers of the hard drives and Solid State Drives that they destroyed along with the mandatory Certificate of Destruction.
Security breaches and leaks in sensitive patient information is a serious issue in today’s times. But, with adequate precautions, hospitals can safeguard themselves and prevent breaches from occurring.