Today, the average cost of a healthcare data breach is $429 per record. When organizations factor in the loss of productivity, the amount of civil complaints and fines levied, plus the public relations besmirching, the cost implications skyrocket. In 2018, the Department of Health and Human Services Office of Civil Rights concluded a record year in HIPAA enforcement activity – 10 settlement cases and one judgment totaled a whopping $28.7 million.
Though every industry is susceptible to cyberattacks, healthcare has experienced the largest growth in attacks over the years because patient records, insurance information, and social security numbers are more valuable on the dark web. Unfortunately, legacy systems may to be blame for the uptick in cyberattacks. Forescout researchers determined 53% of common medical devices are still operating on traditional, legacy platforms.
Legacy systems, insufficient access controls, and the proliferation of medical IoT devices have created security vulnerabilities that leave hospitals wide open to cyberattacks. Research from Vectra found that the majority of legacy systems are unsecured because healthcare organizations simply can’t afford the amount of downtime that patching requires.
To guarantee that unstructured data is transmitted securely, healthcare organizations must extend their analog fax machines to a hybrid-cloud network that is HIPAA complaint and provides end-to-end encryption, two-factor authentication, and direct faxing capabilities.
By leveraging the cloud and delivering all faxes via HTTPS, outdated fax boards, media gateways, and the complex telephony stack are eliminated. Unlike a legacy analog fax infrastructure, hybrid cloud technology can ensure that time-sensitive protected health information (PHI) are delivered within seconds with high-resolution, near-diagnostic image quality, and the highest levels of encryption. The accessibility of fax, coupled with the scalability of the cloud, ensures the exchange of PHI among the healthcare ecosystem is protected. This allows patients to receive high-quality care without compromising their personal information.
By Dan Potter, vice president of product marketing, Attunity, a division of Qlik.
Data is the lifeblood of every hospital and healthcare organization. Without it, doctors can’t access updated patient records for proper treatment; billing departments are unable to correctly process insurance claims; and research teams are limited in their ability to uncover new findings. Today there are issues with both data availability and access to the right information, for all users in a governed HIPAA compliant structure, that keeps healthcare organizations from effectively scaling the use of data to impact lives.
Data analytics is often discussed as a key element because of its potential to uncover insights that improve operations while also increasing care quality and efficiency. In today’s world of tight budgets and rising costs, its essential that organizations maximize staff time allocated to care and minimize costs. However, even if a hospital provides access to all its data, a lack of data literacy – an individual’s knowledge on how to use and analyze data – could limit data’s effectiveness towards improving care and operations.
Healthcare organizations must find a data cure that will address both data challenges: access to and use of information. The emerging methodology known as DataOps addresses both issues.
DataOps is a new approach to agile data integration that looks at the challenge from a holistic perspective of people, process and technology. It focuses on improved collaboration and automation of data flows across an organization. When done correctly, it results in an overall data set of processes that help the organization manage and use their data in real time to transform patience care and experience.
Fighting the Data Access Challenge
As the amount of data increases daily, one of the biggest issues is how to capture and manage it all efficiently. For healthcare this includes allowing appropriate real time access for all users to that data for analytics – while keeping it protected in accordance with HIPAA. One of the first steps is implementing modern data architectures that can handle the growing data volume. Open architectures based on hybrid and multi-cloud provide the greatest efficiency along with agility to improve patient care and increase operational efficiencies.
Home health agencies need to be able to access and share PHI while they are on-the-go – often while using their smartphones or tablets. It’s critical that these types of communication are both fast and secure. However, many home health agencies allow staff to use text messaging when sharing patient data with each other, colleagues, or the patients themselves.
Text isn’t always best despite its popularity for convenient communications. Agencies might be more at risk than they think if staff members are texting each other information about patients. And, free consumer group messaging apps utilize vulnerable platforms which are unable to address health care-specific needs in terms of security and compliance.
An agency places itself and its patients at risk when sending ePHI via unencrypted text messaging. Traditional texting may not meet security or compliance requirements set forth under HIPAA. The HIPAA Journal indicates that the fine for a single breach of HIPAA can be anything up to $50,000 per day the vulnerability responsible for the breach is not attended to. Organizations which text in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.
Immediacy, privacy and trust are key when communicating PHI among agency clinicians and the broader care team (e.g., the referring physician, a specialist, a pharmacist, etc.). For example, the patient or the field nurse can snap a picture of a patient’s wound and then send it securely to the wound care specialist for his/her recommendation. A wound care specialist can make a decision remotely – saving drive time and expenses – and immediately provide assistance to the field nurse.
Decision-making is accelerated, helping patients receive timely care and assistance. Staff productivity is optimized, helping the agencies better leverage specialists across a larger number of cases. ER visits and re-admissions are reduced, helping enhance patient satisfaction and outcomes.
With secure messaging functionality, home health staff members can easily and securely communicate and collaborate with colleagues, their patients and family caregivers, and with other care team members such as the referring physician or another specialist. HIPAA-compliant secure messaging is critical to securing ePHI in staff-to-staff and staff-to-patient communications.
The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.
CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven. They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.
Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.
Overlooking Second Most Prevalent Asset Type — Printers
But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.
Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department. Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.
Little Known Facts about Print Fleets
Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:
Printers are mission critical to patient care and part of providers’ tier one applications.
Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
Printers have built-in security settings, but they are not being set or maintained.
HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).
Why Act Now to Secure Printers?
The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.
Any healthcare facility that wants to keep its customers happy must have patient portals. It is easy to create these portals, but keeping the data safe from hackers can be tough. In the US, at least half of the healthcare consumers are using patient portals. About 80 percent of these patients have expressed their satisfaction with the level of ownership they have with their health data and the convenience of its accessibility.
Because of the security issues involved, the Affordable Care Act and meaningful use regulations have worked towards incentivizing the healthcare industry to make health records digital and more accessible to the patients. The portal allows patients to manage their personal details including medication lists and lab test results as well as financial information. This is enough data to set a patient up to hackers. Because the use of patient portal will keep rising, the risk will only get bigger, which means a better approach towards protecting this information needs to be realized.
How to Stay Compliant
The 1996 Health Insurance Portability and Accountability Act (HIPAA) highlighted the protection of the rights of patients. It compels health providers to keep customer data confidential. HIPAA also introduces a measure of safety and imposes precise compliance standards. Breaches carry hefty penalties. Here are a few tactics to help you keep customer data safe:
1. Foster Security Mindset in Your Organization
Protected health information (PHI) according to HIPAA means more than just electronic records. Whether you are speaking on the phone or working on a physical file, the principles apply. Regulatory compliance in healthcare organizations means that every health facility must store customer data securely. The most ideal tool is remote access software. This software does not restrict a user to approved databases and desktop logins.
2. Focus on the People and Not Just the Data
EHRs- electronic health records can only be kept private when only the people permitted to see them are allowed to access. That means giving access to involved parties such as the lab, doctor, and the insurance provider. Breaches and lapses occur when too many people are involved. This is why categorizing them by persona is essential. If, for instance, the patient is at a critical condition, different labs may be involved. It is, therefore, crucial to customize the profile for each user.
3. Give Patients Full Access to Their Records
Patients want to be sure their personal data is stored safely and securely. This is why healthcare providers need to allow patients to view their medical records. Some patients download and send the details to a third party, which is inherently insecure. Instead of giving the data to patients in different copies, it is crucial that the EHR be stored in one database. Because the idea is to have the data accessed remotely, a single EHR version can be shared by different devices.
The American Health Information Management Association (AHIMA) sent a joint letter to Congressional leaders today voicing concerns that certain provisions of the Office of the National Coordinator for Health Information Technology’s (ONC’s) recent 21st Century Cures Act (Cures) proposed rule on information blocking jeopardizes goals to foster a healthcare system that is interoperable, patient-engaged and reduces burdens for those delivering care.
The letter, co-signed by seven organizations representing the nation’s clinicians, hospitals, health systems and experts in health informatics and health information management, outlines several recommendations aimed at furthering the objectives of Cures, while ensuring that the final regulations do not unreasonably increase provider burden or hinder patient care.
“We support the intent of the Cures Act to eradicate practices that unreasonably limit the access, exchange and use of electronic health information for authorized and permitted purposes that have frustrated care coordination and improvements in healthcare quality and efficiency,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “However, in light of the lessons learned from the meaningful use program, we believe it is crucial that we get this right. We look forward to discussing the details of these recommendations with congressional staff and ONC.”
Recommendations outlined in the letter include:
Additional rulemaking prior to finalization: ONC should seek further input from impacted stakeholders on issues including modifying the information blocking proposal to ensure that the requirements and exceptions are well-defined and understandable, and clinicians, hospitals and health information professionals are not inappropriately penalized if they are unable to provide a patient’s entire electronic health information through an application programming interface (API).
Enhanced privacy and security: The proposed rule does not sufficiently address Cures’ directives to protect patient data privacy and ensure health IT security. It is imperative that the Committee continues its oversight of privacy and security issues that fall outside of the Health Insurance Portability and Accountability Act (HIPAA) regulatory framework. This includes ensuring certified APIs include mechanisms to strengthen patients’ control over their data—including privacy notices, transparency statements and adherence to industry-recognized best practices.
Appropriate implementation timelines: ONC should establish reasonable timelines for any required use of certified health IT (CEHRT). Providers must be given sufficient time to deploy and test these systems, which must take into account competing regulatory mandates.
Revised enforcement: The U.S. Department of Health and Human Services should use discretion in its initial enforcement of the data blocking provisions of the regulation, prioritizing education and corrective action plans over monetary penalties.
For additional information on these recommendations, click here.
Signatories of the letter include:
American Health Information Management Association (AHIMA)
American Medical Association (AMA)
American Medical Informatics Association (AMIA)
College of Healthcare Information Management Executives (CHIME)
Federation of American Hospitals (FAH)
Medical Group Management Association (MGMA)
When most people visit their health professional, they go in confidence that they are in good hands and the confidentiality of their health issues and personal information is protected. After all, who can a person trust more than their doctor? Unfortunately, while patients are safe a majority of the time, there is the chance that a data breach could result in the release of private information.
This breach could be because of a computer hacker, a system breakdown, or even a natural disaster. In any case, the healthcare organization is responsible for keeping patient data secure. If they fail to do so, then they must do damage control and patients must do what they need to in order to protect themselves. Here is a breakdown of what is expected of these companies and what consumers should do in the event of a medical data breach.
The Responsibility of Health Companies
When the Health Insurance Portability and Accountability Act (HIPAA) was officially enacted in 2003, it set a precedent that health organizations must ensure that all patient information is private and confidential. Along with that came the HIPAA security rule, which says that the same organizations must perform risk analysis and have the proper safeguards in place so that data cannot be stolen or leaked to unauthorized individuals.
While many organizations have the proper barriers in place to protect the loss of data, there have been instances where significant breaches have resulted in major leaks. The data leaked in such a breach can include everything from patient names and addresses to Social Security numbers, which can be used to conduct identity theft. If you discovers that a breach has occurred and it affects your patients’ data, then you must take action. You should also prepare for your patients to do the same — often in the form of lawsuits.
Back in 2014, UCLA health was involved in a class-action lawsuit and had to pay out $7.5 million after hackers broke into their system and copied or stole the records of 4.5 million patients. Another such breach took place recently in 2019 when the teaching hospital at the University of Connecticut was infiltrated. In this instance, the hackers accessed employee email accounts, which also potentially contained patient records and Social Security numbers. The related class action suit is still pending.
By John Schneider, chief technology officer, Apixio.
Signed into law nearly a quarter century ago, the Health Insurance Portability and Accountability Act (HIPAA) has not aged well in the information technology world. HIPAA itself is largely misunderstood. I don’t know how many times I’ve heard someone tell me about the “Health Information Privacy Act.” However, it’s easy to understand where the confusion comes from. Who hasn’t heard a story about a ransomware attack, data breach, or privacy violation in the news? And it’s not just happening in the healthcare domain—it’s happening everywhere.
The truth of the matter is that security and privacy breaches in healthcare and other industries are a common occurrence. This has resulted in an unhealthy preoccupation by the healthcare community with the security and privacy provisions in the HIPAA legislation that fall under Title II Administrative Simplification. This too is easy to understand—unlike other industries that seemingly get off Scot free after a breach, the healthcare industry is held to an actual standard, and there are penalties for not meeting this standard that can be reputationally and financially ruinous.
To fully understand the healthcare community’s preoccupation with the HIPAA Title II provisions, we need a little background on what HIPAA is. HIPAA has five provisions called Titles. The two key provisions are Title I, HIPAA Health Insurance Reform, and Title II, HIPAA Administrative Simplification. All of the security and privacy regulations stem from Title II, but “Administrative Simplification” doesn’t exactly shout out “security and privacy” (although the Privacy Rule and Security Rule are 2 of the 5 sections in Title II). Title II doesn’t even provide regulations—it simply hands that responsibility off to the Department of Health and Human Services (HHS) to create such regulations as it sees fit, so ultimately, these are the regulations that we’re contending with and are driving behavior that’s limiting the value of data we’re collecting in healthcare.
Let’s first look at the two types of regulations that cause the most adverse behavior.
Sharing Constraints: There are a number of requirements in privacy regulations that constrain sharing, and many are common-sense business-use rules that protect patients effectively. There are also some regulations that state that covered entities (regulation-speak for providers) should only share data they have with other business associates that are directly participating in the care and management of the patient. These effectively prevent the use of healthcare data to create new and innovative products because product development isn’t related to patient care or management.
Punishments for Breaches: Breaches can be financially painful or even ruinous for a business. The penalties associated with breaches make executives think twice about the use of the data they have, even with business associates helping them manage care, because the risk to them is very real. What this means in the real world is that it can take a long time for a new business with a good idea to improve healthcare delivery to gain traction because the holders of data are reluctant to give these businesses the data they need.
These issues are real and are having negative effects in the healthcare industry. However, these same issues are not impeding innovation in other industries that have just as much (or more) private information. What gives here? Healthcare isn’t getting a fair shake.
There are a number of inequities in healthcare that we should take issue with:
There’s an uneven playing field. Think about where the data is in healthcare. It’s largely in the hands of the providers. They effectively own this data, even though technically it belongs to patients. Small startups have no access to this data. They have to hunt for providers willing to share. Often, the cost of sharing are onerous business terms. The larger the cache of data, the more advantaged you become, and in an industry like healthcare that is ostensibly rallied around social good, this should not be okay.
If you do get data, you might become a target. There are many examples where companies (for example, Google this past year) are harassed for doing innovative research for no other reason than they’re visible and have deep pockets. The problem is that we have obsolete regulations that are being used to make a point that isn’t valid in our modern context.
Most of the data we’ve accumulated isn’t used for innovation. The data outlook in healthcare has come a long way in the last ten years since the HITECH act was passed. Electronic medical records have gone from being sparsely used to nearly universal, but most of this data goes unused beyond the walled gardens of the medical record systems they live in. Artificial intelligence and machine learning applications depend on large, real-world datasets and could be put to use to build technology and resources to identify distinct risk profiles, analyze the effectiveness of treatment protocols across specific patient populations, or surface insights that can dramatically improve the speed and quality of care. But only the few commercial entities that have access to data can play in this space.
As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services. One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so.  Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.
However, outsourcing and relying on vendors to perform activities
that involve access to PHI increases the risk to a covered entity. Over the
past three years, the Health and Human Services Office of Civil Right (OCR) has
issued approximately $6 million in financial penalties where failure to obtain
a signed HIPAA compliant business associate agreement (BAA) from at least one
vendor was either the sole reason for the financial penalty, or contributed the
severity of the penalty.
The HIMSS 2019 Cybersecurity Report noted that 30 percent of the
healthcare vendor respondents had not experienced a significant security
incident in the prior 12 months. This
means that 70 percent had experienced a significant security incident.
HIPAA requires that covered entities have a BAA with vendors that
have access to PHI to perform duties on behalf of the covered entity, or if
electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules
require that business associates comply with the security rule with regards to
ePHI, report breaches of unsecured PHI to the covered entity, comply with
applicable requirements of the privacy rule, and ensure their subcontractors
agree to the same regulations.
While a BAA does provide a covered entity with some legal
assurances, a BAA does not necessarily indemnify a covered entity against
financial penalties for a breach if the covered entity failed to obtain
“satisfactory assurances” of the vendors security.
Nor will a BAA won’t protect the entity’s reputation. Quest Diagnostics
recently experienced a breach by one of their vendors of financial data for
approximately 11.9 million patients. While
the breach was the fault of the vendor the media focus and public attention is
on Quest Diagnostics.
It’s important to consider if the data an organization is entrusting to a vendor is protected. What is the organization doing to ensure vendors who access ePHI understand their obligations and expectations?
The steps below should be performed at least annually to help
organizations ensure that their vendors are securing their data. Covered
entities may do this internally or enlist the services of an independent agency
to do the review.
Organization Has Required BAAs
Organizations must compare their vendor master file against their
BAA file. Many organizations know they set up processes to obtain BAAs when the
Health Information Technology for
Economic and Clinical Health (HITECH) Act, regulations related to business
associates were released in 2013
and accounts payable has been trained not to process a check without a BAA.
However, experience shows that if there is a way around those controls someone
will have figured it out! Vendors can get established without BAA when you
merge or acquire another provider. Vendors can get established without a BAA
when an emergency purchase is made from a vendor. Vendors can change ownership
without providing you with notice that you need an updated BAA.
Reviewing the vendor master file should begin with elimination of
vendors that the organization knows are not BAAs, such as utilities, employee
expense reimbursement, contracted physicians, etc. The organization should then
look at all remaining vendors and determine their use and access to PHI. The
process can be time consuming and painful, but if this basic first step is
never done, an organization will never know if they have identified the vendors
that are putting the organization at risk. At the end of this process, the
organization will have two lists; vendors with BAAs and vendors without BAAs.
Once the organization has a list of vendors that access their PHI,
they need to determine “what are these vendors doing to protect patient PHI.” Some
questions organizations should ask themselves:
Do we do any periodic reviews of vendor
Did we evaluate security before we started
working with the vendor?
Do our vendors have certifications they can
provide to us?
If they advertise HITRUST certification, have
they sent us a current report?
What do we know about what they are doing with
Are they sending our data off shore?
Do they have security standards that at least
meet HIPAA standards?
Evaluation can be done in a number of ways. If a vendor is audited
annually to maintain their HITRUST certification, or they have a SOC II or
other audit done to validate their security controls, ask for the reports.
Furthermore, they should be reviewed to make sure that the controls the
organization is relied upon to protect ePHI are functioning. If the vendor
doesn’t have an independent review, the organization may need to do their own
review. Reach out to the vendor and talk
to them about their security. Covered entities may find it helpful to survey
their vendors on security.
If a vendor doesn’t want to provide information, or can’t provide
good data, the organization needs to perform a risk assessment to determine if
they are willing to accept the risk presented from the lack of
After doing the two steps above, organizations should have
listings of their vendors and their BAAs. For vendors with BAAs, review those
BAAs. Have the agreements been updated to reflect the HITECH Omnibus
requirements? Are the agreements complete with the names of both parties and
the appropriate signatures? Is the contact information correct? If the vendor
doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to
PHI refuses to sign a BAA, it’s time to terminate that relationship!
Monitoring vendors for PHI security is not a “one time” review. A
vendor who had a great security person who understood HIPAA and the
organizations requirements, can have a financial set back and replace the
experienced Security Director to save money. A vendor who assured an
organization that their data was stored and processed in the US can suddenly outsource
to an offshore location for processing of the account. While this monitoring
can take time and resources, as many have learned in healthcare — a little
prevention can often head off a major issue.
Healthcare data hacking has started occurring pretty often nowadays and most people are not even aware that their data has been stolen. Healthcare organizations are not built in a way they can identify illegal records; hence, they are unable to eliminate them.
The main problem is that people are not aware of healthcare data breach until they are sick and need treatment, which makes it the worst time to deal with problems like this. Breaching of healthcare data leads to losing insurance coverage, mixed up records, wrong diagnosis, medical harm, etc.
Thus, how do you prevent this from happening? Here are here to share some tips that will help you avoid healthcare data hacking.
5 Tips to avoid healthcare data hacking
Lexington Law. Healthcare data theft, along with Identity theft, has become a huge problem in today’s world. In order to stay protected from these things, hiring services like Lexington law can be extremely helpful.
They provide things like free credit report evaluation and attractive discounts for couples, families and active military personnel along with protecting your health care data and identity. You can go over to websites, like Crediful, to read a review about Lexington law before buying.
Do a risk assessment test. In 2003, a rule was passed by HIPAA which stated that healthcare organizations were required to take a risk assessment test. However, there was no penalty if not done, so most organizations did not do it.
Then the HITECH Act passed and it changed the law by making security risk analysis mandatory. Performing security analysis helps in identifying vulnerabilities in the security systems and identifying threats.
Always keep software up to date. Most people neglect software updates as they are busy and do not like the idea of taking the computer system offline for updates, but this is a terrible thing to do, and it puts your data on a huge risk.
The latest version of the software is mainly released to reduce any security risks, and not updating them keeps your devices vulnerable to threats and attacks. You will miss any security patch that comes with the latest updates. Criminals use this to their advantage to steal data from outdated devices. Thus, make sure you always keep all software updated.