Stealing identities is nothing new to the FBI but stolen protected health information (PHI) is a rapidly expanding industry on the black market. The ability to obtain healthcare services, government benefits and prescription pharmaceuticals are the main reasons that each medical record could sell for upwards of $60-70. Just a single cyberattack puts millions of records at risk.
As part of HIPAA and HITECH, covered entities and business associates are required to safeguard PHI. One of the required implementation specifications of the Security Management Process 45 CFR §164.308(a)(1)(i) is a risk analysis. Keep your risk analysis in mind as you review Becker’s Hospital Review’s top 10 ways data is leaked in a healthcare organization:
- By a third party vendor – All of the companies that provide services to hospitals including IT consulting, medical equipment, lab services etc. and have access to clinical data.
- By a consulting physician or medical staff (including both admitting and referring physicians), contractors, students, and volunteers – There are many different types of people involved with everything from admitting to social services that can make data available to hackers.
- Hacker takes PHI through a cloud service – Cloud services used for backup are not often adequately secured.
- An email received by someone other than your patient – Hackers are becoming more sophisticated and are using phishing campaigns to impersonate patients to convince employees to divulge PHI.
- Someone logs into a hosted service that contains PHI – This could be an email account, calendar system, or hosted emergency medical response system.
- Employees send PHI through their work email address – emails can be intercepted and hacked, or employees can collude with fraudsters, sometimes emails can be sent to the wrong person by accident and the data is inadvertently leaked
- Employees send PHI through their personal email address
- Employees send PHI through a file sharing site (like Dropbox) – often third party solutions that are not secure are used to share large files that can’t be sent using standard email systems.
- A hacker breaks into your website to steal PHI
- Employees send PHI through instant messaging (like Skype)
Mitigation of any realistic threats and potential vulnerabilities to the protected health information is the key to prevention of any size breach. Certainly, no organization wants their name to appear on the Health and Human Service’s Wall of Shame.