Patient names, addresses, social security numbers, health and payment details—we all know how important it is to keep readily identifiable personal information secure. But today, electronic protected health information (ePHI) is highly targeted by hackers. Why? That’s simple–on the black market, personal health data sells at a high dollar value, even more so than credit card numbers.
The threat is both very real and growing exponentially, as reported by the Ponemon Institute, the pre-eminent research center dedicated to privacy, data protection and information security policy. In its Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, The Ponemon Institute describes a frightening trend in the increase of intentional data breaches as cyber criminals seek to exploit sensitive healthcare information.
What research says about this new era of cyberattacks
According to the study’s findings, while employee negligence and lost or stolen devices still result in many data breaches more data breaches are attributed to criminals who are increasingly targeting and exploiting healthcare data.
The healthcare industry is vulnerable to criminal attack for two main reasons: healthcare organizations create, transmit and store massive amounts of personal information and lack the resources, processes, and technologies to protect the healthcare data adequately. The theft of healthcare information is a burgeoning market for criminals and is reportedly tied to new and more sophisticated virtual branches of organized crime, according to Wendy Whitmore, CIO of 4Medapproved.com.
Even with HIPAA regulations in place, breaches still happen regularly. In fact, results from a 2015 survey published by HIMSS, a global, not-for-profit health IT organization, disclosed alarming information. 21 percent of survey respondents reported an incident resulting in loss of patient, financial, or organizational data.
This paradox begs obvious questions: Are we doing enough? What are hackers seeking? Reports have documented an increasingly savvy criminal element whose attacks on ePHI are growing in number year after year.
What type of information is classified as ePHI?
ePHI is defined as individually identifiable protected health information and falls into three classifications, each of which applies to the past, present, or future information:
- Physical or mental health data
- Financial information as it relates to payment for healthcare services
- Provision of healthcare services
The resale of ePHI is lucrative, often netting the criminal far more than the resale of financial data. Stolen ePHI is used for a wide range of nefarious purposes, from forging prescriptions for drugs and using the information to get medical services to identity fraud, and even launching fraudulent healthcare lawsuits.
Based on the results of this study, the Ponemon Institute estimates that data breaches could be costing the industry $6 billion. The survey results cite more than 90 percent of the healthcare organizations participating in the research as having had a data breach, with 40 percent or respondents having experienced more than five data breaches over the past two years.
The Ponemon Institute estimates the average cost of a data breach for healthcare organizations is to be more than $2.1 million and the average cost of a data breach to Business Associates at more than $1 million. However, in spite of this, 50 percent of the organizations surveyed have little or no confidence in their ability to detect all patient data loss or theft, according to the survey.
The report also states that, even though breaches of healthcare data have nearly doubled in five years, going from 1.4 million victims to more than 2.3 million in 2014, the damage to individuals whose data has been stolen is not being addressed. The report cites estimates of personal costs in excess of $13,500, as victims of healthcare identity theft work to restore their credit, reimburse their healthcare providers for false claims and make corrections to their medical records.
What you can do to protect your business
Organizations today must go beyond what HIPAA suggests to secure IT environments and manage the threat landscape of healthcare IT. To fortify your company against cyberattacks, consider the following suggestions:
- Apply greater encryption.
- Leverage log monitoring or log management.
- Use intrusion detection and vulnerability management systems.
- Up defense strategies for all of the following IT layers: physical, network, application, server, data, users, and devices.
What to know if you work with third-party IT providers
Third-party IT vendors, defined as business associates under HIPAA, can be substantial assets to your business, reducing your internal IT load, while providing both expertise and services. Working with one of these companies, though, can come at a price if hackers look at those data-sharing relationships as easy entry points—and, unfortunately, they do. To illustrate this problem, some industry leaders even refer to business associates as the ‘blind side’ of a healthcare organization when it comes to protecting data, and for good reason.
So what can you do? Choosing a HIPAA compliant third-party provider to handle ePHI in the cloud is imperative, but compliance alone is not enough. Instead, your chosen third-party IT provider must understand their role as a business associate, and provide privacy measures that surpass HIPAA’s IT requirements for optimal protection. Building, deploying, and maintaining IT environments with a constant eye toward security and compliance is critical.
Hackers are becoming bolder. The stakes are getting higher. Your organization’s sensitive information is at risk. If you manage ePHI, you and your business associates must remain HIPAA compliant, or face civil or criminal penalties.
Do you have questions about HIPAA compliance or how to protect your business in an ever-changing cybersecurity landscape? Nobody will argue the importance of HIPAA compliance, but there is more that should be considered, especially when working with third-party IT providers to safeguard your data and applications. If you’ve got questions, our team has answers—we’d love to hear from you.
Additional Resources on This Topic: