The Challenge: The healthcare community shows great concern for the privacy and security of patient data, yet health information remains at risk from improper stewardship. We regularly hear news of care disruptions due to ransomware 2,9, unencrypted laptops with health data being lost or stolen 3,4, companies being fined for insecure practices 5,6, and humiliating public notices of Protected Health Information (PHI) breaches 7,8. The business of selling PHI on the black market is lucrative and healthcare cybercrime continues to grow.
Despite healthcare’s best efforts, PHI data remains at risk because properly handling patient information is not an easy task. As illustrated in the HIPAA security standards, PHI requires a wide variety of safeguards to protect it from the myriad ways in which it can be compromised. USB-memory sticks, laptops, computers, or paper files can all be physically stolen. Employees can be tricked into divulging passwords and other account information through social engineering methods. Visiting the wrong website, or clicking the wrong link can open up computers to exploitation. The use of old, unpatched software can leave computers exposed to both focused and blanket attacks. WannaCry is a recent example of a blanket ransomware attack that infected unpatched Windows machines and brought 16 UK hospital systems to a standstill 9.
There is no silver bullet to eliminate these risks. Currently, it takes a comprehensive, organized approach to security involving multiple technologies and policies working in concert to effectively limit the risks of working with patient information. Healthcare practitioners are generally not trained in information security, and yet legislation like HIPAA leaves them liable for the proper implementation of security controls. What legislation applies to the practice? What security controls will meet the regulatory requirements? What are the greatest risks to PHI that the practice faces? What websites, blogs, or consultants can be trusted to provide useful advice? What security products are out there? Which ones are effective? These are the types of questions each practice is expected to answer for itself. And ignoring them or answering them poorly can lead to substantial fines or, worse, a breach of patient data violating the trust society has bestowed when sharing personal information with healthcare professionals. With civil penalties of up to $1.5 million per specific type of violation 10, criminal penalties of up to $250,000 and 10 years in prison 11, and public news coverage of breaches, the motivation is there. What is lacking is a clear and effective solution.
The Path Forward: “Your Doctor’s Office is Vulnerable to Hackers but Congress Could Change That” 1 is an article that illustrates a proposal to improve the current situation. The authors suggest that large hospitals could share their cybersecurity technology with doctors’ offices. The report that led to this proposal was the result of the Cybersecurity Act of 2015 and it involved a collaborative effort of multiple parties with expertise in the area of concern. This proposal is not a silver bullet either, but it shows the potential for collaborative efforts to move us toward creative solutions to a complex problem. It is one of many potential opportunities for large institutions, and pillars of the healthcare community to unite the community and lead the way to finding collective solutions to this difficult problem.
** Referenced Articles:**
- Your Doctor’s Office Is Vulnerable to Hackers, but Congress Could Change That
- Ransomware: See the 14 hospitals attacked so far in 2016
- Southwest Community Health Center – Notice of Data Security Event
- PHI Security of 20K Possibly Affected from RI Laptop Theft
- HHS Enforcement Highlights
- 6 largest HIPAA settlement fines of 2016
- HHS OCR Breaches Affecting 500 or More Individuals
- Largest Healthcare Data Breaches of 2016
- UK hospitals hit with massive ransomware attack
- HIPAA Administrative Simplification
- Department of Justice Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6