< Back to Thought Leadership

Are Patient Records Safer Now Than Before HIPAA Became Law?

Since HIPAA was originally signed into law in 1996, it has seen five major changes, each intended to make patient information “more safe.” Recently, some clients have been asking us if we think medical records are safer today than before the original HIPAA legislation was passed. Unfortunately, the answer to that question is a resounding NO.

This is a timeline of HIPAA regulation. In 1996, HIPAA was enacted. 2003: Privacy Rule Becomes Effective. 2005: Security Rule Becomes Effective. 2006: Enforcement Rule Becomes Effective. 2009: HITECH, Meaningful Use, Breach Notification Rule happens. 2013: Final Omnibus Rule happens.

We believe Meaningful Use and the widespread adoption of Electronic Health Record systems have been the two greatest contributors to making patient records LESS safe. With that action, healthcare became one of the most targeted industries by cyber bad-guys. As illustrated below, in 2009 there were approximately 18 known breaches within the healthcare vertical. The next year there were 199 which is a 1,000% increase. With the exception of one year, 2015, healthcare breaches have increased every single year.

This graph shows the increase of reported data breaches from 2009 to 2018. 2009 had 18 breaches, 2010 had 199, 2011 had 200, 2012 had 217, 2013 had 278, 2014 had 31, 2015 had 269, 2016 had 327, 2018 had 359, 2019 had 365.

Why healthcare?

In 1952, famous bank robber Slick Willie Sutton was allegedly asked, “Why do you rob banks?” to which he responded, “That’s where the money is.”

Prior to 2009, cyber breaches were happening primarily in the financial services and retail space. Why? That’s where the money was. Credit card numbers and social security numbers are monetizable assets on the dark web/black market by modern-day bank robbers. When healthcare migrated all of a patient’s information online, the bad-guys identified a new, healthcare “bank” to rob,  which held a lot more money in it and was easier to rob. Today, health records are more valuable than any other record type.

A social security number is worth $0.01-0.10. A credit card number is worth $0.25-$1.00. A health record is worth $50-500.

While estimates over the current value of different record types vary from source to source, one thing is clear, health records are the most valuable type of record on the black market. Not only do they contain the information needed to create false identities, health records also contain the even more valuable health insurance number that can be used to commit insurance fraud and drive significantly more ill-gotten gains than a credit card scheme.

In addition to the value of the records, other reasons healthcare has been victimized includes:

  • Hospitals (particularly smaller hospitals) have not made the same investment in security controls that financial service institutions and retailers have made in the last 10-15 years making them an easier target.
  • Healthcare’s network is dramatically expanding beyond the four walls of the hospital or doctor’s office through interconnected medical devices. Each extension is a potential open window into the network and access to health records.
  • Increased merger and acquisition activity. Larger health systems acquiring smaller entities with inferior security controls become exposed when attempting to connect those entities into the acquiring hospital’s network.

What can be done better?

Your First Line of Defense is Your Weakest Link.
Employees need to be trained regarding safe computing practices including being able to identify phishing emails. This training should be reinforced with test internal phishing email campaigns.

Just three months ago, a Montana health system was breached via a sophisticated phishing campaign, compromising 130,000 patient records including insurance numbers. Per the Director of Information Systems “…the unit is very well equipped to prevent and handle cyber-incidents, conducting annual threat assessments and compliance audits. Nevertheless, by virtue of basic day-to-day operations and allowing the employees to do their job, there’s always a little window of vulnerability…”

Where is your data and what are the risks?
Hospitals need to improve their risk assessment process. This can’t be treated as a checklist exercise. You need to determine where your patient data resides (beyond EHRs) and understand/ document the risks to that data within their respective technology repositories.

Not if, but when: prepare to respond.
Hospitals must do a much better job of incident response, including having detailed response plans and testing those plans regularly.

Get known vulnerabilities off your main network.
Medical device manufacturers have a less than stellar history of patching identified vulnerabilities in their devices. These should be segmented on your network to limit traffic from that segment of the network from infecting the overall hospital network.

Blue & Co. has an experienced cyber security team prepared to assist you with your cyber security and HIPAA compliance needs. If you have questions or would like to discuss, please reach out to our IT Risk & Advisory practice leader, Tom Skoog through our contact form.

Contributions and Exchange Transactions_ A Reminder on Upcoming New Revenue Standards

Contributions and Exchange Transactions: A Reminder on Upcoming New Revenue Standards

In 2018, the Financial Accounting Standards Board (FASB) released Accounting Standards Update (ASU) 2018-08, Not-for-Profit Entities (Topic 958): Clarifying the Scope and the Accounting Guidance for Contributions Received and Contributions Made. The effective date of this ASU corresponds to the implementation of ASU 2014-09, Revenue from Contracts with Customers (Topic 606), both of which are […]

Learn More
Using Your 401(k) Plan to Save

Using Your 401(k) Plan to Save

You can reduce taxes and save for retirement by contributing to a tax-advantaged retirement plan. If your employer offers a 401(k) or Roth 401(k) plan, contributing to it is a taxwise way to build a nest egg. If you’re not already contributing the maximum allowed, consider increasing your contribution rate between now and year-end. Because […]

Learn More
Small Business 1099-MISC Reporting Requirements

Small Business 1099-MISC Reporting Requirements

A month after the new year begins, your business may be required to comply with rules to report amounts paid to independent contractors, vendors, and others. This involves sending 1099-MISC forms to those whom you pay nonemployee compensation, as well as filing copies with the IRS to avoid penalties. While this task can be time-consuming, […]

Learn More