Of all the cyberbreaches that have made headlines this year, you may have noticed a large number of the victims were health care organizations.
Though the amount of cyberattacks has increased across the board over the years, data security risks in the health care sector, in particular, continue to present a significant, and growing, challenge. The expanding interconnectivity between health facilities, government, third-party payers, physicians and patients increases the risk of data breach. Further, as the use of Wi-Fi and Bluetooth enabled devices for transmission of Protected Health Information (PHI) become more commonplace -- and health care providers implement electronic medical records in order to streamline data collection and make patients’ health information portable and more readily accessible -- their risk to significant losses, fines and penalties increases. Unintended releases of health care data is a significant risk, but intentional acts are on the rise.
Many security experts warn that health records are a top target for criminals, as the information contained in these documents has a high value on the black market. In fact, the FBI warned in 2014 that the industry is a prime target for criminals seeking to obtain health care information and other personally identifiable information.
Further complicating the risk management obligation for health care providers, the industry has been facing tightening regulation regarding the security of PHI -- all of which could lead to significant fines and penalties to health care providers for the inadvertent release of PHI. While many state and federal agencies have promulgated rules and laws pertaining to PHI, the principal federal regulations relating to health care can be summarized as:
- 1996: The Health Insurance Portability and Accountability Act (HIPAA) aims to make it easier for individuals to protect their health information and insurance and to help the industry control costs.
o The Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain transactions electronically.
o The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity.
o The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
- 2009: Health Information Technology for Economic and Clinical Health Act (HITECH) was designed to promote the widespread adoption and standardization of health information technology, and extend HIPAA Privacy and Security Rules’ establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes; prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.
It should be noted that breaches or unauthorized releases of health care data can also occur without the “cyber” aspect at all. Lost or missing laptops and medical devices, improper record storage and improper disposal of data remain significant risks. All things considered, the proper storage, transmission and protection of health care data poses a significant risk to all health care enterprises. So, what are health care organizations to do when risk levels are through the roof and places to turn are limited? Create a plan that is continually evaluated for its effectiveness and is supported by the board and senior leadership of the enterprise.
When creating an information protection plan for your health care organization, consider that an effective plan should address people, processes and technology:
- Cybersecurity/data protection policies and procedures
- User awareness training
- Regular cybersecurity risk assessment (at least annually)
- Data loss prevention program and technology
- Focus on their critical information assets
- Include facilities, government, third-party payers, physicians and patients
- Incident response plan
I encourage health care facilities to create cybersecurity plans that become an essential part of the organization’s total enterprise risk management approach to avoid letting something slip through the cracks.