Year after year, the number of data breaches affecting entities in the healthcare industry rises, and 2020 was no exception. The 616 data breaches reported this past year to the US Department of Health & Human Services (DHHS) have resulted in the exposure / compromise of 28,756,445 healthcare records.
Most of these breaches were caused by hackers and improper IT security, as ransomware gangs continue to target organizations whose security has been stretched thin even more than usual.
“Cybercriminals have used the pandemic as a gateway to access protected health information (PHI),” says Rick Kuwahara, COO and Chief Compliance Officer of Paubox.
“The effects of Covid-19, including hospitals at capacity and employee strain, have left the healthcare industry especially vulnerable. Some of the biggest threats to PHI include phishing and ransomware attacks, but also human error, a lag in network security, and blind spots in email encryption.”
In the US, the use of protected health information (PHI) is governed by the HIPAA Privacy Rule, which allows covered entities and their business associates to use and disclose PHI without a patient’s consent if it’s for treatment and payment for care and, depending on who created the information, healthcare operations.
“Additional use and disclosure can be done out of that scope if it’s with the patient’s written authorization,” Rick Kuwahara, COO and Chief Compliance Officer of Paubox, explains.
PHI can also include patients’ financial (billing) information, if it is part of their their overall health record.
The HIPAA Security Rule mandates that organizations must maintain “reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI,” but standard safeguard are often not enough.
“Organizations must go beyond HIPAA’s standards and implement practices that can aid in patching holes and creating a barrier cybercriminals can’t penetrate,” Kuwahara opines, and advises them to consider common practices such as:
- Timely and continuous training of staff to decrease the chance of human error
- Updating policies to keep up with the industry standard
- Adopting new technologies
- Securing both inbound and outbound email with quality encryption
- Employing secure password policies
- Patching and updating networks
- Increasing cloud network security
According to the latest IBM Cost of a Data Breach report, human error accounted for approximately 30% of all healthcare breaches in 2020.
To minimize that percentage in the coming years, healthcare organizations should properly train providers, nurses and administrators, as well as enact policies focused on recognizing and blocking malicious emails, credential sharing and mobile device usage.
Obligations and repercussions
The responsibility of keeping PHI and other patient information secure is up to those who have it “in hand,” so to speak.
“If the healthcare provider has PHI in digital or physical form, it must take all reasonable efforts to keep it secure, including encryption for electronic PHI (ePHI). The provider is also responsible for securely giving the PHI to the patient upon request,” Kuwahara explains.
“But once the patient has their information, it’s up to them to keep it secure. This includes both paperwork and ePHI that may have been emailed to them.”
On the black market, PHI is many times more valuable that personal identifiable information (basic information such as names, addresses, emails). Cybercriminals are after PHI because it enables them to steal prescription drugs, target victims with scams that take advantage of their medical conditions, and create fake insurance claims.
While 70% of consumers say that they would cut ties with doctors if they found that their personal health data was unprotected, the most likely way for them to find that out is after a breach, and by then it’s too late: the negative repercussions of their PHI getting compromised can be massive and may continue to pop up for as long as they live.
And, to add insult to injury, patients who have had their protected health information (PHI) compromised cannot seek legal recourse on the grounds of a HIPAA violation.
“While HIPAA does not have a private cause of action, patients can pursue legal action against a healthcare organization for violations of state laws. That said, patients must be able to prove harm or damage caused as a result of the theft or negligence of PHI,” Kuwahara concluded.