< Back to Thought Leadership

Are Patient Records Safer Now Than Before HIPAA Became Law?

Since HIPAA was originally signed into law in 1996, it has seen five major changes, each intended to make patient information “more safe.” Recently, some clients have been asking us if we think medical records are safer today than before the original HIPAA legislation was passed. Unfortunately, the answer to that question is a resounding NO.

This is a timeline of HIPAA regulation. In 1996, HIPAA was enacted. 2003: Privacy Rule Becomes Effective. 2005: Security Rule Becomes Effective. 2006: Enforcement Rule Becomes Effective. 2009: HITECH, Meaningful Use, Breach Notification Rule happens. 2013: Final Omnibus Rule happens.

We believe Meaningful Use and the widespread adoption of Electronic Health Record systems have been the two greatest contributors to making patient records LESS safe. With that action, healthcare became one of the most targeted industries by cyber bad-guys. As illustrated below, in 2009 there were approximately 18 known breaches within the healthcare vertical. The next year there were 199 which is a 1,000% increase. With the exception of one year, 2015, healthcare breaches have increased every single year.

This graph shows the increase of reported data breaches from 2009 to 2018. 2009 had 18 breaches, 2010 had 199, 2011 had 200, 2012 had 217, 2013 had 278, 2014 had 31, 2015 had 269, 2016 had 327, 2018 had 359, 2019 had 365.

Why healthcare?

In 1952, famous bank robber Slick Willie Sutton was allegedly asked, “Why do you rob banks?” to which he responded, “That’s where the money is.”

Prior to 2009, cyber breaches were happening primarily in the financial services and retail space. Why? That’s where the money was. Credit card numbers and social security numbers are monetizable assets on the dark web/black market by modern-day bank robbers. When healthcare migrated all of a patient’s information online, the bad-guys identified a new, healthcare “bank” to rob,  which held a lot more money in it and was easier to rob. Today, health records are more valuable than any other record type.

A social security number is worth $0.01-0.10. A credit card number is worth $0.25-$1.00. A health record is worth $50-500.

While estimates over the current value of different record types vary from source to source, one thing is clear, health records are the most valuable type of record on the black market. Not only do they contain the information needed to create false identities, health records also contain the even more valuable health insurance number that can be used to commit insurance fraud and drive significantly more ill-gotten gains than a credit card scheme.

In addition to the value of the records, other reasons healthcare has been victimized includes:

  • Hospitals (particularly smaller hospitals) have not made the same investment in security controls that financial service institutions and retailers have made in the last 10-15 years making them an easier target.
  • Healthcare’s network is dramatically expanding beyond the four walls of the hospital or doctor’s office through interconnected medical devices. Each extension is a potential open window into the network and access to health records.
  • Increased merger and acquisition activity. Larger health systems acquiring smaller entities with inferior security controls become exposed when attempting to connect those entities into the acquiring hospital’s network.

What can be done better?

Your First Line of Defense is Your Weakest Link.
Employees need to be trained regarding safe computing practices including being able to identify phishing emails. This training should be reinforced with test internal phishing email campaigns.

Just three months ago, a Montana health system was breached via a sophisticated phishing campaign, compromising 130,000 patient records including insurance numbers. Per the Director of Information Systems “…the unit is very well equipped to prevent and handle cyber-incidents, conducting annual threat assessments and compliance audits. Nevertheless, by virtue of basic day-to-day operations and allowing the employees to do their job, there’s always a little window of vulnerability…”

Where is your data and what are the risks?
Hospitals need to improve their risk assessment process. This can’t be treated as a checklist exercise. You need to determine where your patient data resides (beyond EHRs) and understand/ document the risks to that data within their respective technology repositories.

Not if, but when: prepare to respond.
Hospitals must do a much better job of incident response, including having detailed response plans and testing those plans regularly.

Get known vulnerabilities off your main network.
Medical device manufacturers have a less than stellar history of patching identified vulnerabilities in their devices. These should be segmented on your network to limit traffic from that segment of the network from infecting the overall hospital network.

Blue & Co. has an experienced cyber security team prepared to assist you with your cyber security and HIPAA compliance needs. If you have questions or would like to discuss, please reach out to our IT Risk & Advisory practice leader, Tom Skoog through our contact form.

Proposed Accounting Standards Update (ASU) “Presentation and Disclosure by Not-for-Profit Entities for Contributed Nonfinancial Assets”

Proposed Accounting Standards Update (ASU) “Presentation and Disclosure by Not-for-Profit Entities for Contributed Nonfinancial Assets”

On February 10, 2020, the Financial Accounting Standards Board (FASB) issued a Proposed Accounting Standards Update (ASU) “Presentation and Disclosure by Not-for-Profit Entities for Contributed Nonfinancial Assets” designed to improve transparency in how not-for-profit organizations present and disclose contributed nonfinancial assets. Also known as gifts-in-kind, contributed nonfinancial assets include fixed assets such as land, buildings, and […]

Learn More
Do your rental activities qualify you as a real estate professional for tax purposes?

Do your rental activities qualify you as a real estate professional for tax purposes?

By Alan Zgoda For Real Estate Professionals (REPs), two of the most important questions asked for tax purposes are, “Did I materially participate?” and “Is this a rental activity or not?” For better or worse, the answers to these questions can completely change how you are treated for tax purposes. In 2019, two court cases […]

Learn More
PARTNERSHIP CAPITAL ACCOUNTS_ 2018 CHANGES AND NOTICE 2019-66 (1)

Partnership Capital Accounts: 2018 Changes and Notice 2019-66

By Miranda Aavatsmark Who has not frantically awoken from a bad dream in the middle of the night and been relieved to realize that it was not real? I have a reoccurring dream (nightmare) that I either have to go back to college and retake classes or sit for the CPA exam again. I used […]

Learn More