11 Data Security Tips to Prepare for the 'Year of the Healthcare Hack'

February 20, 2015 Brian Watson

Data security tips to help providers prepared for the year of the healthcare hackWhile it’s still really early, Anthem’s massive database breach is the clear frontrunner for healthcare story of the year in 2015.

A sophisticated, large-scale intrusion that exposed the personal information of as many as 80 million patients tends to grab big headlines, after all – especially when it’s nearly 20 times larger than the previous record for a HIPAA data breach. 

And while a loss of that size is clearly big news on its own, that it goes against the conventional HIPAA incident narrative makes it even more significant.

Even with the number of HIPAA breaches rising by 138% year-over-year in 2013, 85% of total records accessed came from just five events.  Similarly, healthcare led all industries in 2013 in total number of breaches, but only accounted for 8% of all records exposed

Those figures suggests healthcare breaches tend to be frequent but small, the result of ‘simple’ threats, like device theft, accidentally data loss, or improper business associate activities.  The Anthem hack, on the other hand, was well planned and executed – and could end up traced back to state-sponsored hackers.

Preparing for the ‘Year of the Healthcare Hack’

The hard truth is that this latest leak is probably the canary in the coalmine for providers.  With medical records now more valuable than credit card data on the black market, this isn’t the last large, complex PHI hack we’ll see – maybe not even the last this year.

But all HIPAA-related incidents are on the rise, and most of them don’t have anything to do with state-sponsored Chinese hackers, advanced malware, or high-level server attacks.  Those can still be expensive or embarrassing.  And the root causes of those leaks still need attention too.

To patch up security holes, providers need to devote more time and resources to developing a holistic PHI protection plan – one that covers everything from servers to employee social media habits.

In this post, I’ll examine some of the most common and costly HIPAA incidents of the past few years (from intricate hacks to simple shredding fails), with an eye towards actionable security lessons.

Device Theft

An unencrypted laptop stolen from the car of an employee at the Springfield Missouri Physical Therapy Center in 2012 led to hefty HIPAA fines for parent company Concentra Health Services – a national provider of occupational medicine. 

Although the breach was small in scope – just 148 patient medical records were involved – its financial impact was significant.  After a multi-year investigation, U.S. Health and Human Services handed down a $1.975 million fine in 2014. 

Theft of device and storage hardware containing PHI is among the most commonly reported HIPAA incidents.  Over the past five years, many of the most high-profile leaks have been of the ‘smash-and-grab’ variety.  That includes:

Back-up tapes stolen from the car of a TRICARE Management Activity contractor in 2011 containing PHI and demographic info for 4.9 million patients.

Storage devices stolen from a vendor's unlocked van that held PHI for 1.7 million New York Health & Hospitals Corporation patients in 2010.

Theft of an unencrypted USB drive from an Alaska Department of Health and Human Services employee’s car in 2012 that led to over $1.7 million in fines.

Device portability has clear productivity and employee satisfaction benefits.  But for industries – like healthcare – where the contents of a laptop or tablet might include the protected information on thousands of customers, it can also lead to very expensive and public data leaks.

The growing popularity of Bring Your Own Device (BYOD) policies as a cost-saving strategy further complicates things.  While efficient, it also comes with built-in issues: lack of control, encryption gaps, and problems wiping data from departing employees’ devices.

Lessons Learned

• Encrypt all devices with access to PHI – especially devices used under a BYOD policy or that employees regularly use outside of work.  Theft happens – even to organizations with rigorous security policies.  The key is having an encryption strategy that limits the fallout: preventing thieves from accessing PHI and limiting HIPAA-related liability from ‘smash-and-grab’ theft.

• Develop a clear, written set of policies that guide BYOD and offsite device usage.

• Use mobile device management to secure files and work on the devices that employees bring from home or take from the office.

Data Loss

In May 2013, a portion of Texas Health Harris Hospital's patient microfiche records from the 1980s and 90s meant for disposal were found by a Fort Worth resident in a local park.  Upon investigation, the hospital discovered that a paper-shredding company contracted to dispose of confidential patients and records had failed to adequately dispose of materials – leading to the embarrassing (and strange) data leak.

Although the breach’s record format is unique, data loss is frequently at the bottom of large-scale HIPAA incidents:

• A storage cabinet was lost in a remodeling project in 2011 at Nemours – a pediatric health system – containing unencrypted back-up tapes with PHI for nearly 1.6 million patients.

• An improper server deactivation at New York Presbyterian Hospital resulted in PHI from 6,800 patients being accessible to the public via Google – and a record $4.8 million fine.

The hard drive on a photocopier leased by Affinity Health Plans wasn’t properly wiped of PHI before being returned to the leasing agent – exposing an estimated 344,579 records and leading to $1.2 million in HHS fines.

• A computer programming error during statement print and mail operations at the Indiana Family and Social Services Administration led to statements being duplicated and sent to the wrong addressee – potentially exposing PHI of 187,000-plus clients.

Lessons Learned

• Work with vendors that take their HIPAA responsibility as seriously as you do.  An authorized BAA isn’t enough – not with HI-TECH regulations leaving a murky gray area as to the responsibility providers have for ensuring their vendors’ compliancy.  Vet your partners thoroughly – including protection policies, certifications, and physical building security – before sharing PHI.

• Scrutinize your vendors’ security history.  You can learn a lot from a company’s policies.  But their track-record is often even more instructive.  Don’t be afraid to ask about the problem areas identified in a vendor’s most recent security assessment – or to solicit breach information.  Has a company had a security incident?  If so, how was it identified, escalated, responded to, and reported?

• Realistically analyze your level of risk.  A comprehensive security plan is a good first step.  But to have real value, a plan needs to be actionable: helping to identify areas where your security is lacking and the technological and educational safeguards that can help plug those gaps.  Being mindful of weaknesses can help prevent addressable mistakes – like data leaks of PHI to public-facing websites.   

• Give special scrutiny to outsourced services that involve communicating or disposing of patient financial and medical data – like shredding, statement processing, or EMR.  Despite the rise in HIPAA breaches, only 6% of incidents reported in 2013 were the result of data hacks.  It’s far more likely that leak will result from theft or loss – making companies that transport PHI or present patient billing information especially vulnerable.

Planned Hacks

Planned hacks of healthcare providers are quickly growing in number and sophistication.  That’s not surprising, given that stolen health credentials are now more valuable on the black market than credit card information.  A recent PhishLabs study claimed medical records often go for $10 each – roughly 10 to 20 times the value of a credit card number.

Hackers are increasingly targeting healthcare providers because it’s much more likely that stolen data goes undetected when compared with financial data – which is usually quickly identified by banks or card issuers.  That has led to several multi-million record hacks over the last few years – in addition to the recent headline-grabbing Anthem incident.

• A "Heartbleed” cyber-attack of Community Health Systems in 2014 by Chinese hackers looking for intellectual property information led to 4.5 million patient records being compromised.

• Hackers used malware to gain access to over 1.3 million patient records stored on a server at the Montana Department of Public Health and Human Services in 2013 and 2014.

Lessons Learned

• Focus on website and application cyber-security.  With retail and financial hacks becoming less lucrative and more difficult to pull off, many hackers are turning their attention to health targets – with experts warning 2015 could be the 'Year of the Healthcare Hack’.  That means it’s time for providers – both large and small – to spend more time and resources assessing and improving the security of online tools. 

Improper Employee Access

An employee of University Hospitals in Cleveland was fired in 2014 for using the hospital’s electronic medical record system over a three-year period to access the demographic, medical and health records, and – in some cases – social security and credit/debit card numbers

Unfortunately, that kind of breach is not at all atypical.

According to IT security firm Redspin, 22% of the HIPAA data breaches filed with the U.S. Department of Health and Human Services since 2009 involved unauthorized access.  That figure doesn’t even account for breaches of under five-hundred records, which aren’t required to be publically reported – and likely include a large number of employee-related incidents.

Employee-related HIPAA incidents run the gamut from information theft – like the example above – to simple snooping.  For example:

• A medical researcher at the UCLA School of Medicine was found guilty in 2010 of using access rights to snoop on the health records of celebrities like Tom Hanks and Barbara Walters.

• In 2014, a financial services employee at the UC Medical Center posted a patient’s confidential test results on Facebook in violation of her privacy.

• More than 12,000 patients of Franciscan Health System had their personal information accessed after hackers obtained access to the email accounts of several employees that responded to a phishing scam.

Lessons Learned

• Set clear data access and dissemination guidelines for PHI.  Your employees should never be able to plead ignorance as an excuse for sharing confidential information on a public platform.

• Use access roles and rights.  Not every employee needs to have access to sensitive patient information.  Restrict contact on a need-to-access basis – limiting data rights to those employees that interact with PHI as part of their core job responsibilities.

• Conduct a thorough criminal and background check all employees – especially staff that is expected to have access to patient data. 

New Call-to-action

Share This: