Insurance Giant Suffers Massive Data Breach!
Millions of Patients Have Data Stolen!
It seems like there are new headlines about data breaches in the healthcare industry every month — if not more frequently. In the last few years, electronic protected health information (ePHI) has become the primary target for hackers, and it's easy to see why.
According to a recent report by Reuters, ePHI fetches 10 to 20 times more than credit card data on the black market. That's why organizations that handle healthcare data are prime targets for data breaches and theft. In fact, 28.5 percent of the entire U.S. population was affected by just two — Anthem and Premera — healthcare data breaches that were discovered in 2015.
Starting to feel a little overwhelmed? Don't worry. Here are five things you can do to keep your ePHI safe from prying eyes.
In 2013, two laptops were stolen from a secure office at a hospital in California. The laptops contained ePHI such as financial information, health conditions and demographic information. Unfortunately, the data wasn't encrypted, so the hospital had to notify 729,000 individuals that their ePHI had been compromised. The hospital implemented policies and procedures to reduce risks to the patients' ePHI, but the damage was already done. Had the laptops been encrypted, the hospital could have protected the information.
A recent article by Health Data Management points out that it's easy to encrypt everything, since encryption tools are embedded in current operating systems and come with nearly every device. (If a device doesn't have built-in encryption functionality, that's a sign that it's outdated and shouldn't be used to handle ePHI in the first place. We talk about that more below.) Yes, encrypting all your data costs time and money, but it's a drop in the bucket when you compare it to the cost of recovering from a breach.
Know Who You're Working With
While keeping ePHI out of the hands of outside thieves is hard enough, you also need to be able to trust your employees and your vendor's employees with the sensitive information. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) maintains a "wall of shame" website listing major healthcare data breaches. Of the 1,472 breaches on the website, 309 (21 percent) involved a business associate. These associates were responsible for exposing 32.8 million records.
You should thoroughly vet your employees and vendors who have access to your ePHI to make sure they're not susceptible to using the information for personal gain. Routine audits can catch employees who are putting their noses where they don't belong.
Stop Using Outdated Devices
Encrypting ePHI and auditing employees' system usage can go a long way toward better controlling patient data, but the ability to do those things can be hampered by outdated technology. The healthcare industry is traditionally slow to adopt new technologies, and old communications methods and technology (such as pagers) are costing hospitals $8.3 billion per year.
Obsolete, poorly secured technology leads to vulnerabilities in your network. In fact, even one outdated system connected to the network could provide hackers with a back door. To monitor for threats, use a firewall service that includes intrusion detection and prevention, port scanning and protocol inspection, and perimeter anti-virus/malware blocking.
Don't Count on Obscurity
When healthcare giants like Anthem and Premera make headlines with massive data breaches, you might think you can get away with less-than-cutting-edge ePHI security by being a smaller provider. After all, hackers are only interested in big scores, right? Wrong. ePHI from a small physician's practice is just as valuable as ePHI from an insurance giant. According to a recent Health Data Management article, smaller providers represent a tantalizing target for hackers for one key reason: They're easy targets.
A lack of awareness about what the hackers are capable of and concerns about cost have kept many small healthcare providers from being properly equipped to handle sophisticated cyber attacks. Regardless of the size of your practice or company, you should always be aware of the threat of cyber attacks and keep your company prepared to fend off hackers. The cost of keeping your patients' ePHI secure pales in comparison to the consequences both you and your patients could face after a data breach.
To find out more about how to keep your data safe, read our post "Five Ways to Thwart a Cybersecurity Nightmare."