By Brian Szumsky, MA
Cybercrime is a fact of life. We hear with increasing frequency about data breaches across industries. Most recently and infamously, the DNC and Yahoo have been victims of these criminal enterprises executed by entities half a world away. And while these external threats are real, there is also a growing risk of breaches carried out by internal parties. Protenus Breach Barometer tracks data breaches in health care. In November 2016, of the 57 identified breaches, more than half of them involved employees working for the affected organization.
AAAHC Standards and Cybersecurity
AAAHC Standards related to Administration, to Clinical Records and Health Information, and to Safety (Chapters 3, 6 and 7) address the importance of maintaining the security of organizational and patient records. In the current environment, these Standards become a critical element of an organization’s emergency preparedness.
Why is health care data at risk? It may be that the medical information is less valuable to hackers than the personal data. Electronic health records (EHR) include names, addresses, Social Security numbers, birth dates, phone numbers, insurance information and email addresses, and that’s before you reach the health information. The primary motive for stealing EHR data is financial; the data can be sold on darknet marketplaces for the purposes of identity fraud and theft. In some cases, hackers have demanded ransom from the victimized organization to restore the compromised IT system or as blackmail to prevent the hacker from announcing the breach. The immediate fallout is disruption in day-to-day operations, with potential for a ripple effect on the quality of patient care, such as medication reconciliation and access to medical histories.
In many cases, the success of these attacks are predicated on targeting the most vulnerable organizations, ones whose systems have exploitable weaknesses. In its simplest form, a breach may begin with an email attachment containing malicious code. Once the code is activated– for example, by opening the attachment– the code can worm its way into a computer network, resulting in loss or theft of stored data.
What do we do?
Two key requirements of the HIPPA Privacy Rule are:
- Health care organizations must have policies and procedures to identify, recognize and respond to threats.
- The organization’s governing body must have developed an action/response plan in the event of a breach.
On January 13, 2017, CMS published Survey and Certification Letter #17-17, “Recommendations for Providers and Suppliers Regarding Cyber Security,” as an addendum to the Cybersecurity Act of 2015 which required the Department of Health and Human Services (HHS) “to develop a report on the preparedness of HHS and health care industry stakeholders in responding to cybersecurity threats.”
- Review current policies and procedures to ensure adequate plans are in place should an attack occur.
- Retrain staff to use non-electronic methods, for example, written discharge instructions.
- Familiarize staff with the paper medication administration record (MAR).
- Use paper-based requisition forms for transmission of radiology and laboratory orders.
- Pre-program telephone and fax numbers into the fax machine to avoid transmission delays in the event that the computer network is down or disabled.
HHS now requires that any organization storing protected health information has several layers of security in place to help protect data from cybercriminals.
Additionally, the HHS Office of Civil Rights recommends:
- Backing up data onto segmented networks or external devices and making sure backups are current
- Ensuring software patches and anti-virus are current and updated
- Installing pop-up blockers and ad-blocking software
- Implementing browser filters and smart email practices
Cybersecurity companies generally recommend implementing regular vulnerability scanning and/or penetration testing for IT security.
Data breaches of health care records can affect millions of individuals, some studies say as many as 1 in 3 Americans have already been affected. For accredited organizations, the issue should rise to a high level of priority.
Snapshot: Data Breaches by the Numbers
- More than 90% of reported health care data breaches were caused by hackers or unauthorized access and disclosure (Forbes).
- The top ten breaches totaled 112 million health stolen records
- In July, HIPAA Journal noted 142 health care data breaches had been reported by midyear, equal to numbers for the same time period in 2015
- 181 heath care breaches were reported ranging in size from 500 to 3.6 million effected individuals (Experian)
- Health Solutions, one of the largest diagnostic laboratories in India, was breached and privacy compromised for 35,000 medical records.
Brian E. Szumsky is the communications project manager within the AAAHC Marketing and Communication department. He has been with the company since 2015 and has worked with the consulting arm (Healthcare Consultants International) and the AAAHC Institute for Quality Improvement.