Since HIPAA was originally signed into law in 1996, it has seen five major changes, each intended to make patient information “more safe.” Recently, some clients have been asking us if we think medical records are safer today than before the original HIPAA legislation was passed. Unfortunately, the answer to that question is a resounding NO.
We believe Meaningful Use and the widespread adoption of Electronic Health Record systems have been the two greatest contributors to making patient records LESS safe. With that action, healthcare became one of the most targeted industries by cyber bad-guys. As illustrated below, in 2009 there were approximately 18 known breaches within the healthcare vertical. The next year there were 199 which is a 1,000% increase. With the exception of one year, 2015, healthcare breaches have increased every single year.
In 1952, famous bank robber Slick Willie Sutton was allegedly asked, “Why do you rob banks?” to which he responded, “That’s where the money is.”
Prior to 2009, cyber breaches were happening primarily in the financial services and retail space. Why? That’s where the money was. Credit card numbers and social security numbers are monetizable assets on the dark web/black market by modern-day bank robbers. When healthcare migrated all of a patient’s information online, the bad-guys identified a new, healthcare “bank” to rob, which held a lot more money in it and was easier to rob. Today, health records are more valuable than any other record type.
While estimates over the current value of different record types vary from source to source, one thing is clear, health records are the most valuable type of record on the black market. Not only do they contain the information needed to create false identities, health records also contain the even more valuable health insurance number that can be used to commit insurance fraud and drive significantly more ill-gotten gains than a credit card scheme.
In addition to the value of the records, other reasons healthcare has been victimized includes:
- Hospitals (particularly smaller hospitals) have not made the same investment in security controls that financial service institutions and retailers have made in the last 10-15 years making them an easier target.
- Healthcare’s network is dramatically expanding beyond the four walls of the hospital or doctor’s office through interconnected medical devices. Each extension is a potential open window into the network and access to health records.
- Increased merger and acquisition activity. Larger health systems acquiring smaller entities with inferior security controls become exposed when attempting to connect those entities into the acquiring hospital’s network.
What can be done better?
Your First Line of Defense is Your Weakest Link.
Employees need to be trained regarding safe computing practices including being able to identify phishing emails. This training should be reinforced with test internal phishing email campaigns.
Just three months ago, a Montana health system was breached via a sophisticated phishing campaign, compromising 130,000 patient records including insurance numbers. Per the Director of Information Systems “…the unit is very well equipped to prevent and handle cyber-incidents, conducting annual threat assessments and compliance audits. Nevertheless, by virtue of basic day-to-day operations and allowing the employees to do their job, there’s always a little window of vulnerability…”
Where is your data and what are the risks?
Hospitals need to improve their risk assessment process. This can’t be treated as a checklist exercise. You need to determine where your patient data resides (beyond EHRs) and understand/ document the risks to that data within their respective technology repositories.
Not if, but when: prepare to respond.
Hospitals must do a much better job of incident response, including having detailed response plans and testing those plans regularly.
Get known vulnerabilities off your main network.
Medical device manufacturers have a less than stellar history of patching identified vulnerabilities in their devices. These should be segmented on your network to limit traffic from that segment of the network from infecting the overall hospital network.
Blue & Co. has an experienced cyber security team prepared to assist you with your cyber security and HIPAA compliance needs. If you have questions or would like to discuss, please reach out to our IT Risk & Advisory practice leader, Tom Skoog through our contact form.