The adoption of the Electronic Health Record (EHR) and the HITECH Act of 2009 digitalized healthcare and brought drastic changes to the industry. Although many aspects of care have flourished, such as clinical workflow, engagement, and overall outcomes, one problem remains: patient privacy. Personal health data is no longer private. From information sharing between facilities, social media, wearable trackers, mobile health apps, and more, your records are out there and vulnerable to hackers if not adequately protected.
The Health Insurance Portability and Accountability Act (HIPAA) was formulated to ensure that confidential personal health information. HIPAA specifies a group of industry actors–such as health plans, provider organizations, and clearinghouses–designates them as “covered entities” and then regulates how they and their business associates use certain information. A patient’s health information is only “protected” when a covered entity records or uses it.1 Life insurers, employers, school districts, state agencies, law enforcement, and municipal offices do not have to abide by these rules.
Data protected under HIPAA includes diagnoses, treatment plans, test results, medications, and insurance information, as well as general data such as contact information, date of birth, social security, demographics, and more.2 However, because technology is advancing at a pace greater than HIPAA can control, all this goes out the window when a covered entity experiences a data breach, with the only obligation being to notify the individual affected.
Risks involved with cyberattacks
Healthcare has always been one of the most breached industries. In fact, it was the seventh-most targeted sector in 2020, up three spots from the previous year. From the start of 2021 to July 1st, there have been 334 reported data breaches in healthcare, with over 19 million records compromised. The violations of Northwestern Memorial Healthcare and MultiPlan, a medical payment billing service provider, affected over 200,000 patients each.3
These attacks are costly to both entities and patients. When unauthorized users enter your network, they can impersonate you to get medical services, open credit accounts with your data, illegally obtain drugs, and blackmail you with sensitive personal details. They could also tamper with medical data and delay treatments, appointments, and procedures, negatively impacting patients’ well-being. Breaches often result in substantial financial payouts from the organization, or worse, stolen patient identities. For more frightening cybersecurity statistics from last year, check below:
Stats via Bitglass
How to manage a breach and prevent future ones
When an organization experiences a breach, the first thing they should do is start their incident response plan (IRP). This involves staying calm and not making rash decisions (like immediately wiping or re-installing the system), preserving evidence, assembling an incident response team, and then containing the breach. Having an IRP can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly!
To contain the breach:
- Isolate the affected system
- Disconnect from the Internet to stop data bleeding and disable remote access capability and wireless access points
- Change all account passwords and disable non-critical accounts
- Make sure you document the steps you have taken thus far, as it will help reclaim your information and track down hackers later on.
- Get the word out. Contact all the affected patients, the press, your lawyers, perhaps even the Department of Health and Human Services.4
Now that you’ve handled this current breach, the next step is implementing procedures and security measures to help your entity avoid another one. Some actions include installing firewalls, regular software updates, identifying and reporting suspicious threats (i.e., phishing emails), offering staff training sessions, etc. For more on this, head to our previous blog post.
Healthcare leaders should take cybersecurity very seriously, as a hacked system could lead to several problems for patients and the business. The advancement of technology has made data breaches almost impossible to avoid. Still, by following HIPAA laws and cybersecurity guidelines, your entity can mitigate security risks and protect its patients’ private data at all costs.
- Ross, Joe. “How to Protect Patient Data.” How To Protect Patient Data, International Association of Privacy Professionals, 25 November 2014, iapp.org/news/a/how-to-protect-patient-data/.
- “What Does Hipaa Protect?” HIPAA Journal, 26 Mar. 2018, www.hipaajournal.com/what-does-hipaa-protect/.
- “June 2021 Healthcare Data Breach Report.” HIPAA Journal, 23 July 2021, www.hipaajournal.com/june-2021-healthcare-data-breach-report/.
- Stone, Jen. “How to Manage a Healthcare Data Breach.” SecurityMetrics, www.securitymetrics.com/blog/how-manage-healthcare-data-breach.