The Health Insurance Portability and Accountability Act (HIPAA) helps protect patient privacy by requiring healthcare organizations and their business associates to protect sensitive data — including how the data is used and disclosed. As the healthcare industry is increasingly being targeted by cyber attackers, HIPAA gives healthcare organizations minimum benchmarks for assessing and implementing their cyber defenses.
Patient health data is highly sought after by cyber criminals because they can exploit it in many different ways and for much longer periods of time as compared to information such as credit card numbers. On black market marketplaces on the Darkweb, stolen medical data can sell for 10 to 20 times more than credit card data. One report found that stolen Medicare numbers sold for nearly $500 each.
Because medical records are rich with information, they can be used for committing identity theft, medical identity theft, and tax fraud; obtaining loans or credit cards, sending fake bills to insurance companies; obtaining and then reselling expensive medical equipment — and the list goes on. And unlike a credit card number, that can easily be cancelled if it has been compromised, medical health records can’t be altered and tend to last a lot longer. Stolen medical records of terminally ill patients are especially valuable because that information can be used to receive other services on behalf of the patient long after the patient has passed away.
HIPAA requires that healthcare organizations report any data breaches involving more than 500 patient records. According to the HHS web portal, there have been 205 such breaches so far this year. Many data breaches of electronic protected health information (ePHI) that have resulted in HIPAA fines were the result of carelessness or lack of data protection and could have been avoided.
Numerous HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. A risk assessment is a foundational step that healthcare organizations must take in order to evaluate all the vulnerabilities, threats, and gaps in defenses in order to mitigate security risks.
The Worst HIPAA Violations — and What You Can Learn from Them
Advocate Health Care Network, $5.5 million
This is the largest HIPAA settlement as of September 2016 and was the result of three separate data breaches that affected a total of 4 million individuals. One of the incidents involved an unencrypted laptop that was stolen from an employee vehicle and another incident involved the theft of four computers.
The Department of Human and Health Services Office of Civil Rights (OCR), which enforces HIPAA, noted that Advocate Health Care failed to conduct an accurate and thorough risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI. This risk management plan needs to include not only technical but also physical and administrative measures.
New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million
In a joint case, the two organizations were fined after 6,800 patient records were accidently exposed publicly to search engines. The breach was caused by an improperly configured computer server that was personally owned by a physician. The server was connected to the network that contained ePHI.
NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data. It also didn’t have appropriate policies and procedures for authorizing access to patient databases. Both of these violations would have been easy to prevent through administrative processes.
WellPoint, Inc., $1.7 million
The managed care company exposed the records of more than 600,000 individuals over the internet after upgrading an internet-based database containing ePHI. WellPoint didn’t know about the breach until a lawsuit notified the company that the data was available through a web portal.
This kind of incident could be avoided by:
- Performing a technical evaluation of changes resulting from software upgrades ahead of deployment
- Implementing technology, policies, and procedures for authenticating users that are accessing ePHI as well as limiting the categories of users who can access the data.
Anchorage Community Mental Health Services (ACMHS), $150,000
A malware infection compromised the records of more than 2,700 individuals. ASMHS did not review its systems for unpatched and unsupported software and did not regularly update its IT resources.
This case underscores the importance of having policies and procedures in place for running regular updates and patches. It’s a simple yet often ignored practice that could have major implications.
St. Elizabeth’s Medical Center, $218,400
This settlement stemmed from two incidents, one of which was in connection with staff use of a cloud-based file-sharing application. Specifically, the medical center did not evaluate the risks of using this cloud service, putting ePHI of nearly 500 people at risk.
As more healthcare organizations are embracing the cloud as a scalable, cost-effective and flexible solution for storing and sharing patient data, it’s critical to conduct a risk assessment prior to migrating to a cloud environment. This evaluation should also include a comprehensive analysis of the security capabilities of prospective vendors.
University of Mississippi Medical Center (UMMC), $2.75 million
UMMC reported a breach after a password-protected laptop loaned to a visitor went missing. Subsequently, OCR’s investigation found that users could access a network drive containing ePHI via a wireless network with a generic user name and password. The accessible network drive contained ePHI of 10,000 patients dating as far back as five years.
According to Verizon’s 2016 Data Breach Investigations Report, more than 60 percent of data breaches in 2015 involved weak, stolen, or default passwords. Passwords are a major problem that can have serious consequences for organizations, yet it’s a problem that’s easy to mitigate by implementing strong password-management policies as well as techniques like multi-factor authentication.
Triple-S Management Corp., $3.5 million
This case was the result of multiple, extensive violations involving several subsidiaries. One notable violation related to two former employees whose access rights to a restricted database were not terminated when they left the company. The two then accessed the internet Independent Practice Association (IPA) database, which contained members’ diagnostic and treatment codes, while being employed by a competitor.
Just like poor password-management policies, user-privilege policies are a major problem for organizations. Too often, user access is not terminated when employees leave the company or move to another position within same company that changes their status. Many unauthorized access incidents can be avoided with tools and procedures that manage user access.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI), $1.5 million
OCR found multiple violations after investigating the theft of a personal unencrypted laptop containing patients’ prescriptions and clinical data. The violations included longtime failures to conduct a risk analysis and implement security measures for portable devices.
“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” OCR Director Leon Rodriguez said in the announcement.
Many of the HIPAA settlements to data have involved stolen or lost devices such as laptops as well as removable media like USB drives. What makes this case stand out from many others involving stolen or lost laptops is the fact that this was a personal device.
As healthcare organizations become more open to the bring your own device (BYOD) policies, it’s important to have practices and procedures in place for devices that are not managed by the IT department. Best practices could include credentialing or “registration” of personal devices and controls for giving IT staff advance permission to remotely wipe or lock a stolen device.