A $5.55 Million Fine!
This year has been a rough one in the health industry when it comes to data breaches. Health data managers have been on their toes for quite some time now. In one settlement, a fine of $5.55 million was set to recuperate tainted and lost electronic patient records, after a fleet of hackers attacked many health institutions across the United States.
The Health Insurance Portability and Accountability Act (HIPAA) authored an article saying that a database with 9.3 million records was stolen from a health insurer and then put on sale on the Darknet Marketplace.
While these are all in the health sector, the method used by health data hackers varies, some of them quite surprising.
The HIPAA journal reports that in February 2016 the Florida-based Radiology Regional Centre lost files, on their way “to be incinerated”, when they quite simply fell off the vehicle transporting them. This accident resulted in the hackers gaining access, quite easily, to the files.
The California Correctional Health Services lost the records of its patients to theft when an unencrypted laptop computer was stolen from inside its health centre. It contained Electronic Public Health Information (ePHI) exposing the confidential information of around 400,000 patients.
EMR management company Bizmatics also suffered a data breach impacting more than 265,000 individuals thanks to a malware infection.
Health Data Breaches Are Expensive
In the case of a healthcare data breach there is a huge cost in the case of a settlement that is paid by hospitals and health insurers as penalties for the compromised information.
One of the biggest healthcare breaches was incurred by Anthem Inc. The breach that began in February 2014 involved a phishing email. A series of malicious files were downloaded accidentally, giving hackers open access to the Anthem data house. The investigation points to the perpetration by a nation-state with a purpose and not an individual: “The sophistication of the attack evident not from the phishing email but from the ability of the malware to move laterally throughout the IT infrastructure, access critical databases, and exfiltrate date – all without detection”, confirms Dan Berger, CEO of Redspin. Cybersecurity firms CrowdStrike, Alvarez & Marsal Insurance and Risk Advisory Services Anthem Inc. have already incurred huge expenses in this data breach – around $112 million to provide credit protection to impacted consumers.
The HIPAA journal released figures counting the exact number of data breaches caused either by unauthorized access into computers or network server, or loss or improper “disposal”. These healthcare data breaches were motivated by the stealing of personal information of patients such as names, addresses, birth dates and credit cards to create fraudulent accounts and to access healthcare or financial services (or to use for other criminal activity). Mark Turnage, CEO of Own Cybersecurity says that data thieves would create fake accounts under the victim’s name and “As a result, these files allow criminals to access healthcare services, financial services and information to use the victim’s identity to commit further fraud or crime.”
The Office of Civil Rights has collected more than $16 million from just from five entities in penalties.
Upgrading Health Data Security
The health industry is getting more secure though. Anthem Inc. implemented two-factor authentication for logging into all its systems and has deployed an enhanced account management solution. They are now spending more than $260 million on security as reported by the state insurance commissioners.
Implementing strict protocols will do a much better job of locking up information, that can prevent hacks into your system. Information all loaded on the ePHI database can also limit access only to authorized personnel, keeping the information strictly private. However, maintaining ePHI does not diminish the need to build an improved risk management system.
The bottom line is to try to determine what or who exactly is at fault in the case of a health data breach. Some of the aforementioned cases seem to be caused by sheer negligence, seemingly placing the information at the thieves’ disposal and inviting them in. All the best laid plans, experts and solutions mean nothing if they are not followed.
You can implement all the best practices in avoiding a health data breach, just don’t make yourself an easy target.