To a healthcare organization, its most valuable assets are the technology used to treat disease and highly trained medical professionals who care for patients. To a hacker, the most valuable asset is protected health information (PHI). This dataset contains information on an individual that is hard-coded within them and could be used indefinitely for malicious intent.
According to a healthcare breach report from cloud security firm Bitglass, hacking and IT incidents reportedly led to almost 46% of the healthcare breaches in 2018. The problem of hacking in healthcare systems is further supported by the statistics from the Office of Civil Rights data breach log.
Their log shows that from 2018 until present day, 354 healthcare entities have had a breach due to hacking. While this number may seem small for two years, the number of people affected in each of these incidents ranges from a few hundred to hundreds of thousands. The lack of proper security controls for storage systems makes healthcare a prime target for hacking.
How Hackers Access Digital Systems
Hackers don’t need to reinvent the wheel to break into a digital storage system. Many times the entry point is through an email server or a phishing attempt. An unknowing employee can click on an email or link that gives a hacker complete access because they can’t distinguish a fake email from a legitimate one.
Other access points for hackers include Electronic Health Record (EHR) systems, network systems, and portable devices connected to various servers. Identifying these attackers is not always a possibility due to the anonymity of the internet and especially the dark web. When an attacker can be identified, they may be disgruntled employees who want to divert patients to competitors or more commonly, are a member of a hacking ring that steals PHI to sell on the black market.
While making a profit from your personal health information is a major reason behind a cyberattack, there are several other reasons they may want this personal information. That is why it is imperative for healthcare organizations to implement security practices for their digital networks.
Best Practices for Protecting PHI
Healthcare systems pose a lot of vulnerabilities including low security and multiple entry points. They have unsupported systems and many can’t be updated due to their age. Overall, the budget for IT and data security is not large enough to implement the security controls needed to protect PHI. Professionals in the healthcare and IT industries gave some best practices that healthcare organizations can follow to shield PHI from unauthorized parties.
- “Limit the information exposed to any transaction to the absolute minimum. If you can use just PII vs. PHI in any given transaction; do so. For all studies, de-identified PHI should be attested and checked by a privacy or compliance officer before being signed off as ‘for study’ based data sets in research or trials. Ensure that all systems where medical professionals touch has an implemented Data Loss Prevention (DLP) solution in place that monitors for a variety of PII and PHI based data and where that data traverses.”
—Dennis Chow, CISO at SCIS Security
- “Every organization handling protected health information (PHI) should focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs. This includes conducting a risk assessment and asset inventory of their organization and map the data flow within their enterprise in order to determine their risk in the event of a breach or cyberattack.”
—Lee Barrett the CEO and executive director, Electronic Healthcare Network Accreditation Commission (EHNAC).
- “Encryption is an important security tool designed to protect data. It’s especially useful in the healthcare setting which involves sensitive data that is regulated by HIPAA. Mobile encryption is more widely applied than is server encryption. For the most part, HIPAA breaches have occurred because a computer has been stolen that did not have the data properly encrypted.”
—-Marty Puranik, President and CEO of Atlantic.net.
Encryption and HIPAA Regulations
The HIPAA Security Rule requires Covered Entities (CE) to implement physical, technical, and administrative controls to protect PHI. These rules also require an entity to complete a comprehensive risk assessment to find all security vulnerabilities that exist so the proper administrators can address them.
While these are important and necessary steps to take, the use of encryption is also a highly recommended way to protect PHI. The use of encryption is not required by HIPAA but not utilizing some form of it is an “addressable implementation” if a healthcare organization is hacked.
The SecureDrive product line is hardware encrypted and HIPAA compliant. The devices can only be accessed through PIN authentication or secure authentication through a mobile device. An administrator can set read-only mode, see who accessed a drive and when, and can remotely wipe the device in the event it becomes lost or stolen.