Tag: health data breach

Security Best Practices for Protecting Your HIPAA Compliant Data

Guest post by Manoj Puranik, CEO, Atlantic.Net.

Manoj “Marty” Puranik
Manoj “Marty” Puranik

Augusta University Medical Center reported that it had become a victim of phishing for the second time within a 12-month period although fewer than 1 percent of patients were impacted by the second effort. A trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom for the owner to retain the data. A successful intrusion of Medical Oncology Hematology Consultants was detected, with 19,203 compromised patient records; however, by that point, the hackers had been inside the system for 20 days.

Kaleida Health announced that it had been victimized by phishing, with 744 patients affected; actually, though, that was adding to a previous tally – with 3,544 total records accessed. Ransomware brought down Pacific Alliance Medical Center; two months later, the firm said that 266,123 patients were impacted.

What do all of these situations and figures have in common? They are all Health Insurance Portability and Accountability Act (HIPAA) violations that took place in 2017. Also, you don’t want to be that organization. Forget the threat to your credibility (perhaps especially the much-dreaded Wall of Shame; the sheer expense is overwhelming. For any data breach, the average drop in revenue experienced by a healthcare firm is $3.7 million

So, with all that said (i.e., since it is more common than anyone would like, and since these cyberattacks are so incredibly costly), it is only reasonable to look over some HIPAA fundamentals and review security best practices for protecting HIPAA compliant data. With the information you collect, you can strategize implementation of the most strongly protected possible system.

Here are a few tips so that your environment can integrate best practices for securing the protected health information (PHI) that is under your watch:

Encrypt everything

Encryption is critical. Just look at a study published in Perspectives in Health Information Management in 2014. While this research is slightly dated, it is compelling because it is a true big data study that looked at all the breaches of HIPAA-protected files that were currently within the HHS Department’s system. At the time of the report, which used all events through September 22, 2013, 27 million people’s records had been compromised, via successful attacks of 674 covered entities and 153 business associates. Forms of intrusion included hacking, improper disposal, loss, theft, unauthorized access, etc. Breaches occurred in various digital environments both through devices and backends, as well as through hard-copy paper documents.

When you look at the data on types of breaches as pieces of the whole, you see how prominent theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case (numbers that have now grown substantially): 1. theft – 12,785,150 people (via 344 CEs and 52 BAs); 2. loss – 7,359,407 people (via 74 CEs and 23 BAs); 3. hacking or IT event – 1,901,111 people (via 59 CEs and 20 BAs); 4. unauthorized access – 1,334,118 people (via 136 CEs and 44 BAs); and, 5. improper disposal – 649,294 people (via 32 CEs and 5 BAs).

The key concern here is that these issues are not just about theft. If it were just about laptops being stolen, that would not be as much of a problem because the criminals would not be able to get anything of them necessarily. All of these cases are ones in which the information on the devices that was stolen was unencrypted. In other words, all you need to do is encrypt that data – and even if it does get stolen, you don’t need to worry about it as a violation.

Assess your risk

Conduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer ePHI, along with other ways in which your information may be exposed physically. Related to the data center environment (whether it’s internal, third-party or hybrid), you want to ask these questions: Are natural disasters common in the location of the data center? Is there a responsible party associated with all hardware components? Have you assessed the security mechanisms that are now in place and any risks that are present? Have you taken into account all ways in which ePHI is accessed or manipulated within your system? Consider the creation, receipt, maintenance and transfer of this information.

Training is fundamental

It is easy, especially related to electronic protected health information, to become obsessed with the systems and to forget about the huge potential for human error. Your staff must be properly trained, especially since the threat landscape is evolving, with an increasingly sophisticated toolset for accessing the data. A very simple yet devastating mistake that is often made is phishing, when a staff member either clicks on a link or submits data, such as usernames or a Social Security number that, thereby, connects them in to a fraudulent system. It is horrifying but true that something as simple as a fake email could create a point of entry for malware or viruses.

Continue Reading

Mitigating Risks In the Wake of Security and Data Breach

Guest post by Tim Cannon, vice president of product management and marketing, HealthITJobs.com.

Tim Cannon
Tim Cannon

A study, early this year, found that more IT employers are offering their employees flexible work options. But in the wake of security and data breach, is it worth the risk in health IT?

A report published by the Ponemon Institute in September 2014 revealed 43 percent of U.S. companies surveyed experienced a security breach in the past year, up from 33 percent in 2013. Healthcare organizations are a prime target for cyberattacks, according to a report from the Identity Theft Resource Center. Health and medical companies suffered the most breaches in 2014, accounting for 42.5 percent of reported cyberattacks.

Here are some of the biggest risks health organizations face with a virtual health IT workforce, and how to keep patient data safe:

Email risks
Hillary Clinton recently came under fire for using a personal email address for government business during her time as secretary of state. Not only did her exclusive use of personal emails violate federal record-keeping laws and practices, but also put sensitive information at risk. Her actions remind us that employees are using their personal email accounts for work, whether their employers are aware or not.

Health IT professionals who work from different locations and from different devices could be sharing unencrypted data over their personal emails without password protection. They could be sending work emails from a personal account on their phones or home computers because it’s more convenient than connecting to their work accounts.

Solution:
Set clear policies on email use and remind employees of the importance of password protection when sending sensitive information.

Network vulnerabilities
To accommodate the remote workforce, networks and cloud-based data storage systems can be accessed from any location. But more employees using the network and accessing data from different places makes it easier for hackers to access the information as well.

Remote workers usually operate out of their home offices. This means they are using their home network, which is usually much less secure than the office network. Sometimes, they also work out of Starbucks and other public spaces that have unsecure Wi-Fi networks. These places also do not have standard security protocols, which means all the data is unencrypted and easy for hackers to steal.

Solution:
The underlying software of the network needs to be secure, no matter where employees are working from. Securing cloud-based systems is also extremely important. Making sure your servers are up to date with service packs and software updates is critical to close potential holes in your network. Having a strong virtual private network is critical to protect patient information and other sensitive data. Invest in highly protected providers, encrypt sensitive data, and diversify your passwords to avoid security breaches.

Continue Reading