Guest post by Manoj Puranik, CEO, Atlantic.Net.
Augusta University Medical Center reported that it had become a victim of phishing for the second time within a 12-month period although fewer than 1 percent of patients were impacted by the second effort. A trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom for the owner to retain the data. A successful intrusion of Medical Oncology Hematology Consultants was detected, with 19,203 compromised patient records; however, by that point, the hackers had been inside the system for 20 days.
Kaleida Health announced that it had been victimized by phishing, with 744 patients affected; actually, though, that was adding to a previous tally – with 3,544 total records accessed. Ransomware brought down Pacific Alliance Medical Center; two months later, the firm said that 266,123 patients were impacted.
What do all of these situations and figures have in common? They are all Health Insurance Portability and Accountability Act (HIPAA) violations that took place in 2017. Also, you don’t want to be that organization. Forget the threat to your credibility (perhaps especially the much-dreaded Wall of Shame; the sheer expense is overwhelming. For any data breach, the average drop in revenue experienced by a healthcare firm is $3.7 million
So, with all that said (i.e., since it is more common than anyone would like, and since these cyberattacks are so incredibly costly), it is only reasonable to look over some HIPAA fundamentals and review security best practices for protecting HIPAA compliant data. With the information you collect, you can strategize implementation of the most strongly protected possible system.
Here are a few tips so that your environment can integrate best practices for securing the protected health information (PHI) that is under your watch:
Encryption is critical. Just look at a study published in Perspectives in Health Information Management in 2014. While this research is slightly dated, it is compelling because it is a true big data study that looked at all the breaches of HIPAA-protected files that were currently within the HHS Department’s system. At the time of the report, which used all events through September 22, 2013, 27 million people’s records had been compromised, via successful attacks of 674 covered entities and 153 business associates. Forms of intrusion included hacking, improper disposal, loss, theft, unauthorized access, etc. Breaches occurred in various digital environments both through devices and backends, as well as through hard-copy paper documents.
When you look at the data on types of breaches as pieces of the whole, you see how prominent theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case (numbers that have now grown substantially): 1. theft – 12,785,150 people (via 344 CEs and 52 BAs); 2. loss – 7,359,407 people (via 74 CEs and 23 BAs); 3. hacking or IT event – 1,901,111 people (via 59 CEs and 20 BAs); 4. unauthorized access – 1,334,118 people (via 136 CEs and 44 BAs); and, 5. improper disposal – 649,294 people (via 32 CEs and 5 BAs).
The key concern here is that these issues are not just about theft. If it were just about laptops being stolen, that would not be as much of a problem because the criminals would not be able to get anything of them necessarily. All of these cases are ones in which the information on the devices that was stolen was unencrypted. In other words, all you need to do is encrypt that data – and even if it does get stolen, you don’t need to worry about it as a violation.
Assess your risk
Conduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer ePHI, along with other ways in which your information may be exposed physically. Related to the data center environment (whether it’s internal, third-party or hybrid), you want to ask these questions: Are natural disasters common in the location of the data center? Is there a responsible party associated with all hardware components? Have you assessed the security mechanisms that are now in place and any risks that are present? Have you taken into account all ways in which ePHI is accessed or manipulated within your system? Consider the creation, receipt, maintenance and transfer of this information.
Training is fundamental
It is easy, especially related to electronic protected health information, to become obsessed with the systems and to forget about the huge potential for human error. Your staff must be properly trained, especially since the threat landscape is evolving, with an increasingly sophisticated toolset for accessing the data. A very simple yet devastating mistake that is often made is phishing, when a staff member either clicks on a link or submits data, such as usernames or a Social Security number that, thereby, connects them in to a fraudulent system. It is horrifying but true that something as simple as a fake email could create a point of entry for malware or viruses.
Be vigilant and ready to act
Although you don’t want to have to think about it, it’s critical to be prepared for the possibility of a breach — so that you can have a response that is fast yet thoughtful. Here are the basics of the Office for Civil Rights checklist for proper response to a breach of HIPAA-protected material:
- Carry out your response and mitigation steps, along with your contingency plans (stopping the attack and containing the threat to privacy and security;
- Report the incident to law enforcement;
- Submit the relevant cyber threat indicators to federal and information sharing and analysis organizations (ISAOs); and,
- Notify the Office for Civil Rights quickly, a maximum of 60 days following the detection of a breach that compromised at least 500 people.
Read business associate agreements and find partnerships you trust
We all want to believe that we are good judges of character; still, we know, in a business setting, it all comes down to credibility and vetting – the due diligence that makes certain that you’re not making a decision that could make you vulnerable. If your organization is a covered entity or business associate, either way, you need to be certain that any vendor relationships related to ePHI (or PHI) are designed to protect the data as defined within the law. Whenever you look at a new potential agreement, it is important to check that the external entity scans its system for security risks at regular intervals. You also want to know that the staff has been properly trained, as well as ensuring the designation of security and privacy officers.
Of course, a piece of paper is only worth something from a legal standpoint; it won’t protect you at the level of the technology. To make sure the systems themselves are properly secured and controlled, look to see that the provider is audited to meet the American Institute of Certified Public Accountants’ SOC 1 and SOC 2 standards, as well as being certified for HIPAA compliance.