The American health care industry’s move to electronic health records has made individual patient records more accessible by third-party vendors and consultants. But it also increases access for cybercriminals.
Health information has become more valuable to hackers and identity thieves than bank account and credit card information. Every time a person visits a doctor, clinic, hospital or other health-related facility, protected health information (PHI) is created, acted on and stored. This places you and your company at risk of identity theft because most protected health information is stored electronically.
Cybersecurity is becoming an increasingly complex and expensive issue. Experts advise not to plan if a cyberattack will happen, but when. The U.S. Department of Health & Human Services reported a total of 450 health care data breaches affecting more than 27 million patients during 2016.
Medical identity theft occurs when protected health information is stolen and used to get medical or government services, medical equipment or falsify insurance claims.
Ransomware attacks occur when a hacker takes control of a server and locks out the owner. A ransom is demanded from the owner in exchange for getting data returned. Initially, ransomware threats targeted large companies because the payout was bigger. As these attacks were automated through malware, anyone is a potential hacking target. Small health care practices are being targeted with relatively “affordable” ransoms of $5,000-$10,000. Cisco’s 2017 Annual Cybersecurity Report estimates these attacks will grow annually by about 350%.
While hackers are a serious threat to cybersecurity, a growing number of breaches are caused inadvertently by employees. A staff member opens an official-looking email about an urgent problem or vulnerability with the firm’s electronic health records. These emails can be well-disguised. The staffer clicks on a link and malware takes over.
Who is protecting your protected health information? The federal Health Insurance Portability & Accountability Act’s security rule offers some protection. HIPAA establishes national standards for protecting the privacy and security of health information being held by health care facilities, providers and their business associates. It requires all organizations that create, receive, maintain or transmit electronic PHI to conduct an annual security risk analysis. Conducting a security risk analysis means that health care facilities and providers must evaluate their security risks, vulnerabilities and implement security measures to protect PHI. HIPAA’s security rule also applies to the business associates of any health care provider. If your company works with vendors who create, store or transmit protected health information, you are required to have an annual security risk analysis.
The safety of protected health information depends on the quality of the security risk analysis and how well electronic safeguards are implemented.
Here are ways to protect your health information as well as the health information over which your vendors have control.
- Never assume anything posted on the internet is secure, certainly not on social media or an online public forum.
- Password protect everything with safe passwords and change passwords regularly. Any device connected to the internet — tablets, watches, readers, medical equipment, etc. — provides a gateway for hackers to gain access to your company’s data or your clients’ protected health information. Mobile devices are just as vulnerable as your business computers and require the same high standard of security.
- Always verify the source that is requesting PHI.
- Shred insurance forms, prescriptions, doctor’s statements and hospital bills, instead of throwing them in the trash. There’s a lot of identifying information on medical records — insurance and financial account information, Social Security numbers, addresses and contact information for next of kin.
- Don’t share health information with a provider or health plan unless it is HIPAA compliant.
- Install and activate remote wiping or remote disabling on mobile devices to permanently delete data from a lost or stolen device. If the device is recovered, you can unlock the data.
Ray Hanley is president and CEO of AFMC in Little Rock. He previously spent 16 years as director of Medicaid in Arkansas. Email him at [email protected].