A data breach is a term for an event wherein sensitive and confidential data is viewed, leaked or transmitted by an individual who is not authorized to do so. Unfortunately, data breaches have now become a common occurrence; according to BreachLevelIndex, nearly 4 million records are lost globally every day due to data breaches.
The concern is shared by all industries alike. Data breaches over the years have compromised a lot of sensitive information such as client personal information, contact information, bank records and in some cases even their health records. In the late 1990’s the United States passed an act named HIPAA to govern healthcare.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. HIPAA was passed by the United States in 1996 and is comprised of 5 titles:
- Title I: Health Care Access, Portability, and Renewability
- Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Title III: Tax-related health provisions governing medical savings accounts
- Title IV: Application and enforcement of group health insurance requirements
- Title V: Revenue offset governing tax deductions for employers
Title II of the HIPAA act is the most relevant one and is commonly referred to within the IT Industry when implying HIPAA compliance.
Title II specifies compliance’s for the following requirements:
- Protecting and confidentiality in handling of all the health information
- Boundaries on the use and release of the Health records
- Healthcare providers need to follow standard procedure for electronic data interchange in order
- Guidelines for investigation in event of HIPAA compliance violations
- All the parties involved must have a unique 10 digit NPI (National Provider Identifier). These parties comprise of the healthcare providers, healthcare entities, employers, and individuals.
Data Breaches in Healthcare
Robert Herjavec, CEO of the famous cyber security firm Herjavec Group recently stated in an interview that healthcare has overtaken financial institutions as the top target for hackers.
What possible reasons would hackers have to start targeting healthcare institutions instead of the finance industry?
The primary reason is outdated technology. Unlike technology companies and finance institutions, healthcare institutions and providers do not update their technology or data security as often.
This often leaves them more vulnerable and prone to cyber attacks. For hackers, it is relatively easier to find loopholes in outdated or older software and technology devices.
Hackers can get hold of information which may include healthcare providers’ confidential data, employer data, client’s private medical records and other personal information to name but a few. This could also lead to a Ransomware based attack.
Ransomware is a kind of malware which prevents a user from accessing his/her own system unless a ransom is paid. The user is generally left helpless in such situations as the system itself is rendered useless unless the demands are paid.
Besides ransomware, hackers could also sell information they’ve obtained on the dark web or on the black market, which is as scary as it sounds. It is completely possible that in “minutes” after the cyber attack, your personal records are publicly made available to be sold.
Unfortunately, hackers are not the sole perpetrators carrying out these jobs. It is possible they may find some assistance from within organizations, but not necessarily from the tech department. There are always a few employees who have a very cavalier attitude towards their jobs. It happens in all industries, and healthcare institutions are no exceptions.
Employees casually share documents amongst each other. These documents may have someone’s personal information or a history of their medical records. Or perhaps a complete list of personal details for all registered patients.
While it is true that in most institutions these records are maintained in electronic format, there are still institutions who do not operate in compliance with HIPAA regulations.
Employees in healthcare institutions may not be the most tech-savvy people and may be protecting their electronic health records with very weak passwords.
It should also not be surprising that these weak passwords are also shared among groups of employees. Once again, this practice is common in almost all types of industries (IT companies included), and healthcare institutions are not exempt from this risky practice.
Thankfully, we do have some good news. Data breaches in healthcare have dropped in the last couple of months, the first time in years the rate of incidents have fallen.
They dropped from an annual high of 42 incidents in August to 35 breaches in October. Some healthcare organizations reported being attacked by ransomware, some lost the data instantly, while some unsuccessfully tried to recover data from backups.
However, the decrease in the last two months should not be seen as a hint that the healthcare sector is now secure. While the number and figures may keep fluctuating, it is never a zero. The threat still exists and there is absolutely no way to predict who the next target could be.
Many cyber security companies around the world provide excellent security solutions. These companies not only help upgrade your infrastructure but also manage it for you if that is a part of the agreement. This is a perfect time to secure yourself because it is better to be late than never.
Feature Image Credit – DepositPhotos