< Back to Thought Leadership

Are Patient Records Safer Now Than Before HIPAA Became Law?

Since HIPAA was originally signed into law in 1996, it has seen five major changes, each intended to make patient information “more safe.” Recently, some clients have been asking us if we think medical records are safer today than before the original HIPAA legislation was passed. Unfortunately, the answer to that question is a resounding NO.

This is a timeline of HIPAA regulation. In 1996, HIPAA was enacted. 2003: Privacy Rule Becomes Effective. 2005: Security Rule Becomes Effective. 2006: Enforcement Rule Becomes Effective. 2009: HITECH, Meaningful Use, Breach Notification Rule happens. 2013: Final Omnibus Rule happens.

We believe Meaningful Use and the widespread adoption of Electronic Health Record systems have been the two greatest contributors to making patient records LESS safe. With that action, healthcare became one of the most targeted industries by cyber bad-guys. As illustrated below, in 2009 there were approximately 18 known breaches within the healthcare vertical. The next year there were 199 which is a 1,000% increase. With the exception of one year, 2015, healthcare breaches have increased every single year.

This graph shows the increase of reported data breaches from 2009 to 2018. 2009 had 18 breaches, 2010 had 199, 2011 had 200, 2012 had 217, 2013 had 278, 2014 had 31, 2015 had 269, 2016 had 327, 2018 had 359, 2019 had 365.

Why healthcare?

In 1952, famous bank robber Slick Willie Sutton was allegedly asked, “Why do you rob banks?” to which he responded, “That’s where the money is.”

Prior to 2009, cyber breaches were happening primarily in the financial services and retail space. Why? That’s where the money was. Credit card numbers and social security numbers are monetizable assets on the dark web/black market by modern-day bank robbers. When healthcare migrated all of a patient’s information online, the bad-guys identified a new, healthcare “bank” to rob,  which held a lot more money in it and was easier to rob. Today, health records are more valuable than any other record type.

A social security number is worth $0.01-0.10. A credit card number is worth $0.25-$1.00. A health record is worth $50-500.

While estimates over the current value of different record types vary from source to source, one thing is clear, health records are the most valuable type of record on the black market. Not only do they contain the information needed to create false identities, health records also contain the even more valuable health insurance number that can be used to commit insurance fraud and drive significantly more ill-gotten gains than a credit card scheme.

In addition to the value of the records, other reasons healthcare has been victimized includes:

  • Hospitals (particularly smaller hospitals) have not made the same investment in security controls that financial service institutions and retailers have made in the last 10-15 years making them an easier target.
  • Healthcare’s network is dramatically expanding beyond the four walls of the hospital or doctor’s office through interconnected medical devices. Each extension is a potential open window into the network and access to health records.
  • Increased merger and acquisition activity. Larger health systems acquiring smaller entities with inferior security controls become exposed when attempting to connect those entities into the acquiring hospital’s network.

What can be done better?

Your First Line of Defense is Your Weakest Link.
Employees need to be trained regarding safe computing practices including being able to identify phishing emails. This training should be reinforced with test internal phishing email campaigns.

Just three months ago, a Montana health system was breached via a sophisticated phishing campaign, compromising 130,000 patient records including insurance numbers. Per the Director of Information Systems “…the unit is very well equipped to prevent and handle cyber-incidents, conducting annual threat assessments and compliance audits. Nevertheless, by virtue of basic day-to-day operations and allowing the employees to do their job, there’s always a little window of vulnerability…”

Where is your data and what are the risks?
Hospitals need to improve their risk assessment process. This can’t be treated as a checklist exercise. You need to determine where your patient data resides (beyond EHRs) and understand/ document the risks to that data within their respective technology repositories.

Not if, but when: prepare to respond.
Hospitals must do a much better job of incident response, including having detailed response plans and testing those plans regularly.

Get known vulnerabilities off your main network.
Medical device manufacturers have a less than stellar history of patching identified vulnerabilities in their devices. These should be segmented on your network to limit traffic from that segment of the network from infecting the overall hospital network.

Blue & Co. has an experienced cybersecurity team prepared to assist you with your cyber security and HIPAA compliance needs. If you have questions or would like to discuss, please reach out to our Cybersecurity and Data Management practice leader, Tom Skoog through our contact form.

IRS 501(r) Compliance: Financial Assistance Policy and Amounts Generally Billed Calculation

Non-profit hospital organizations as defined by Section 501(c)(3) must meet requirements imposed by Section 501(r) on a facility-by-facility basis to be treated as a tax-exempt organization. According to the Internal Revenue […]

Learn More

Hospital Price Transparency: What’s New in 2024 and Beyond

The Centers for Medicare & Medicaid Services (CMS) has introduced significant changes to the requirements for hospital price transparency. The aim is to enhance pricing transparency and ensure compliance with […]

Learn More
building and using insurance reserves

Building and Using Insurance Reserves for Sustainability

By Annmarie Novotney, CPA, Director at Blue & Co. Not-for-profit organizations have been dealing with changing circumstances on many fronts over the last five years. Part of this changing landscape […]

Learn More