< Back to Thought Leadership

Are Patient Records Safer Now Than Before HIPAA Became Law?

Since HIPAA was originally signed into law in 1996, it has seen five major changes, each intended to make patient information “more safe.” Recently, some clients have been asking us if we think medical records are safer today than before the original HIPAA legislation was passed. Unfortunately, the answer to that question is a resounding NO.

This is a timeline of HIPAA regulation. In 1996, HIPAA was enacted. 2003: Privacy Rule Becomes Effective. 2005: Security Rule Becomes Effective. 2006: Enforcement Rule Becomes Effective. 2009: HITECH, Meaningful Use, Breach Notification Rule happens. 2013: Final Omnibus Rule happens.

We believe Meaningful Use and the widespread adoption of Electronic Health Record systems have been the two greatest contributors to making patient records LESS safe. With that action, healthcare became one of the most targeted industries by cyber bad-guys. As illustrated below, in 2009 there were approximately 18 known breaches within the healthcare vertical. The next year there were 199 which is a 1,000% increase. With the exception of one year, 2015, healthcare breaches have increased every single year.

This graph shows the increase of reported data breaches from 2009 to 2018. 2009 had 18 breaches, 2010 had 199, 2011 had 200, 2012 had 217, 2013 had 278, 2014 had 31, 2015 had 269, 2016 had 327, 2018 had 359, 2019 had 365.

Why healthcare?

In 1952, famous bank robber Slick Willie Sutton was allegedly asked, “Why do you rob banks?” to which he responded, “That’s where the money is.”

Prior to 2009, cyber breaches were happening primarily in the financial services and retail space. Why? That’s where the money was. Credit card numbers and social security numbers are monetizable assets on the dark web/black market by modern-day bank robbers. When healthcare migrated all of a patient’s information online, the bad-guys identified a new, healthcare “bank” to rob,  which held a lot more money in it and was easier to rob. Today, health records are more valuable than any other record type.

A social security number is worth $0.01-0.10. A credit card number is worth $0.25-$1.00. A health record is worth $50-500.

While estimates over the current value of different record types vary from source to source, one thing is clear, health records are the most valuable type of record on the black market. Not only do they contain the information needed to create false identities, health records also contain the even more valuable health insurance number that can be used to commit insurance fraud and drive significantly more ill-gotten gains than a credit card scheme.

In addition to the value of the records, other reasons healthcare has been victimized includes:

  • Hospitals (particularly smaller hospitals) have not made the same investment in security controls that financial service institutions and retailers have made in the last 10-15 years making them an easier target.
  • Healthcare’s network is dramatically expanding beyond the four walls of the hospital or doctor’s office through interconnected medical devices. Each extension is a potential open window into the network and access to health records.
  • Increased merger and acquisition activity. Larger health systems acquiring smaller entities with inferior security controls become exposed when attempting to connect those entities into the acquiring hospital’s network.

What can be done better?

Your First Line of Defense is Your Weakest Link.
Employees need to be trained regarding safe computing practices including being able to identify phishing emails. This training should be reinforced with test internal phishing email campaigns.

Just three months ago, a Montana health system was breached via a sophisticated phishing campaign, compromising 130,000 patient records including insurance numbers. Per the Director of Information Systems “…the unit is very well equipped to prevent and handle cyber-incidents, conducting annual threat assessments and compliance audits. Nevertheless, by virtue of basic day-to-day operations and allowing the employees to do their job, there’s always a little window of vulnerability…”

Where is your data and what are the risks?
Hospitals need to improve their risk assessment process. This can’t be treated as a checklist exercise. You need to determine where your patient data resides (beyond EHRs) and understand/ document the risks to that data within their respective technology repositories.

Not if, but when: prepare to respond.
Hospitals must do a much better job of incident response, including having detailed response plans and testing those plans regularly.

Get known vulnerabilities off your main network.
Medical device manufacturers have a less than stellar history of patching identified vulnerabilities in their devices. These should be segmented on your network to limit traffic from that segment of the network from infecting the overall hospital network.

Blue & Co. has an experienced cybersecurity team prepared to assist you with your cyber security and HIPAA compliance needs. If you have questions or would like to discuss, please reach out to our Cybersecurity and Data Management practice leader, Tom Skoog through our contact form.

not-for-profit cecl model

Decoding The New CECL Model for Not-For-Profits

By Priya Singleton, CPA, Director at Blue & Co. The Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2016-13 Financial Instruments – Credit Losses (Topic 326): Measurement of […]

Learn More

Final Hospital 340B Outpatient Prospective Payment System (“OPPS”) Remedy

On November 2, 2023, the Centers for Medicare & Medicaid Services (CMS) released a final rule outlining a plan to correct and reverse the 340B payment cuts from calendar years […]

Learn More
restricted fund tracking

Restricted Fund Tracking and Cash Management

By Andrew Brock, CPA, Senior Manager at Blue & Co. Earlier in June 2023, an article was published by our not-for-profit services team titled “Unveiling the Dynamics of Donor-Restricted Contributions”. […]

Learn More