In 2015, the health care industry faced a wave of cyberattacks greater than in any previous year, with IBM reporting that close to 100 million records were compromised. Personal medical records now sell for a much higher price than credit cards on the “dark web,” making it likely that 2016 will see an even greater number of cyberattacks on medical providers. This blog post highlights the data breach threat to medical records and provides some recommendations for resources to use in improving your cybersecurity.
The Surge in Medical Data Theft in 2015.
There’s been an alarming increase in medical data theft in 2015. To take just a few examples:
- According to IBM’s Security Intelligence blog, there was “a 1,166 percent increase in reported health care records breached from 2014 to 2015.” IBM further reports “that in the first 10 months of 2015, healthcare ranked #1 in terms of records compromised, with nearly 34 percent of all records compromised across all industries.”
- An August 2015 KPMG survey reported that “eighty-one percent of health care executives say that their organizations have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks.”
- High profile data breaches in 2015 included attacks on health insurer Anthem, Inc., exposing up to 78.8 million customers’ records, and Premera Blue Cross, exposing up to 11 million customers’ records.
- And, for evidence that hackers aren’t just focused on major insurers or hospitals, look at the US Department of Health and Human Services’ Office of Civil Rights breach portal, which lists breaches of protected health information affecting more than 500 individuals. Reported breach victims include numerous individual physicians and community medical practices, with the most recent reported breach on Dec. 18, 2015.
The cybersecurity prognosis for 2016 doesn’t seem much better. Computerworld recently reported that, according to an IDC analysis, “one in three consumers will have their healthcare records compromised by cyberattacks in 2016” because of “a legacy of lackluster electronic security in healthcare and an increase in the amount of online patient data.”
Why Do Hackers Want Medical Records?
Medical records can provide hackers with a raft of information, including social security numbers and credit card numbers, which can be used to file fraudulent medical claims and drug prescriptions, and for identity theft.
Hackers can also use sensitive medical information to blackmail patients and to create targeted “spear phishing” attacks. The typical “phishing” email contains a generic message designed to induce the receipt to open a link or download a file that, unbeknownst to the recipient, installs malware potentially allowing hackers accessing to the target’s computer. “Spear phishing” refers to a “phishing” email tailored to credibly appeal to a specific target, such as by masquerading as an email from the target’s employer, or by referencing personal medical issues that the target thinks only her doctor knows.
Further increasing their value, medical records contain information that is difficult to quickly change, unlike credit cards, which banks can cancel or reset.
Lawsuits and Government Action as Breach Consequences.
Should your practice suffer a data breach, the legal consequences can range in scope, up to and including lawsuits, fines, or other government actions.
Data breaches can subject medical providers or insurers to lawsuits, whether class action or individual, based on allegations of negligence, breach of contract, and breach of various state data breach and consumer protection statutes. Class action lawsuits against Anthem and Premera, based on the breaches mentioned above, are ongoing.
The Federal Trade Commission (“FTC”) is increasingly bringing legal actions against breached companies for insufficient data practices. In the medical arena, the FTC has brought an action against medical testing company iLab MD, Inc. based on alleged leaks of consumer data. An administrative law judge dismissed the FTC’s claim, but the FTC appealed that decision to the FTC Commissioners in late December.
Breaches can also subject medical providers to fines of to $1.5 million from the Department of Health and Human Services in addition to fines from various state regulators.
What You Can Do to Improve Cybersecurity?
Given the threats to medical data – and the potential consequences of a breach – what can doctors do to help minimize the risk of a breach? Below are a few suggestions to improve cybersecurity practices going into 2016:
- Educate yourself: The government provides a variety of resources on cybersecurity best practices. Resources include tips and training videos at https://www.healthit.gov/providers-professionals/cybersecurity-shared-responsibility; and recommendations for complying with HIPAA’s “Security Rule” governing the storage of electronic protected health information (45 CFR Part 160 and Subparts A and C of Part 164) at http://www.hhs.gov/hipaa/for-professionals/security/index.html.
- Employee training: Ensure employees are properly trained on cybersecurity protocols, and then test that training. For example, some employers send fake “phishing” emails to employees to test their propensity for falling for this increasingly common hacking technique.
- Vendor assessment: Even if your cybersecurity practices are top-notch, you may still be vulnerable to losing data through a compromised vendor. Ensure that any vendor with access to medical health records adheres to cybersecurity best practices and signs the required business associate agreement required by the federal law under HIPAA.
- Assign responsibility: Consider assigning someone within your practice to be responsible for cybersecurity, including staying abreast of the latest government recommendations.
- Prepare for the worst case scenario: If you have a data breach, what do you do? How quickly must you notify your patients? What can you do to mitigate the damage? Having a plan in place, and trusted advisors to consult with, before a breach can make your post-breach response much more effective.
- Get help from professionals: Given the complexities of federal and state laws that govern protected health information and patient privacy (including HIPAA), engaging lawyers and HIPAA consultants to audit and then help implement all necessary requirements as well as monitor ongoing compliance is highly recommended.