10 Ways patient data is shared with hackers

Personal healthcare information is becoming more difficult to secure. Security hacks of electronic medical records more than doubled last year, costing the healthcare system $50 billion, according to the American Action Forum. An IDC Health Insights report predicts 1 in 3 health records will be breached in 2016.

Thieves have capitalized on the medical industry's transition to digital records and healthcare exchanges. All healthcare organizations were required to implement the use of electronic health records by 2015, as stipulated by The American Recovery and Reinvestment Act (ARRA). This trend will continue and even accelerate as the benefits to digitizing and sharing electronic medical records are also increasing.

Digital data improves quality of medical care
Having structured data inputted into an electronic system for a patient's prior health conditions, medications, and symptoms improves the ability for physicians to identify and share important information about their patient's medical history. By making this information available on a health exchange network, admitting physicians have access to patient records remotely in the event of emergency care. In addition, this allows for timely, complete and accurate information to be readily available to physicians even when the patient is unable to convey the information directly. Thereby reducing errors in diagnosis and unnecessary examinations while enabling healthcare providers to make better and more rapid clinical decisions.

Digitizing medical information accelerates the sharing of information between different hospitals, HMOs, healthcare providers, and pharmaceutical companies. Collecting and sharing electronic clinical data enhances the process of discovering side effects of medications and events that may have led to hospital admissions.

Digital medical records also enables inclusion of data collected using wearables that monitor patients with diabetes, heart problems and other conditions. Electronic medical records can be more easily shared with the patients themselves, improving responsiveness and efficiency.

But along with the benefits, come the risks
The value of personal health information (PHI) continues to escalate on the black market. Medical information is enticing for hackers because it includes more personal details such as height and eye color that can be used to create fake identities. According to a recent FBI presentation, stolen health insurance information fetched $60-$70 on the black market as opposed to less than a dollar for a Social Security Number. With all the potential rewards, hackers are more tempted to target healthcare organizations.

Here are the ten most common ways that data is leaked:
1. By a third party vendor – All of the companies that provide services to hospitals including IT consulting, medical equipment, lab services etc. and have access to clinical data.
2. By a consulting physician or medical staff (including both admitting and referring physicians), contractors, students, and volunteers – There are many different types of people involved with everything from admitting to social services that can make data available to hackers.
3. Hacker takes PHI through a cloud service – Cloud services used for backup are not often adequately secured.
4. An email received by someone other than your patient – Hackers are becoming more sophisticated and are using phishing campaigns to impersonate patients to convince employees to divulge PHI.
5. Someone logs into a hosted service that contains PHI – This could be an email account, calendar system, or hosted emergency medical response system.
6. Employees send PHI through their work email address – emails can be intercepted and hacked, or employees can collude with fraudsters, sometimes emails can be sent to the wrong person by accident and the data is inadvertently leaked
7. Employees send PHI through their personal email address
8. Employees send PHI through a file sharing site (like Dropbox) – often third party solutions that are not secure are used to share large files that can't be sent using standard email systems.
9. A hacker breaks into your website to steal PHI
10. Employees send PHI through instant messaging (like Skype)

Due to the many ways that electronic medical information can be shared, healthcare organizations must take extra measures to protect all these information flows. In addition these systems should be readily accessible and easy to use. If the systems in place to secure data exchanges are cumbersome to use, for example requiring the recipient to download software, employees can bypass the systems and send the information without any type of protection.

The investment is well worth it. If confidential medical records end up in the wrong hands the consequences can be very damaging. A breach of medical records could lead to identity theft, where victims could seek litigation against the healthcare organization where the breach occurred. If the breach affected multiple patients, the practice is headed down a nightmarish long road of litigation with an equally disastrous loss of trust.

Organizations must protect personal healthcare information and comply with regulatory requirements, while allowing practitioners to gain the fast access to data necessary to provide superior patient care. By clearly communicating data protection policies and securing all the different ways that data can be exchanged, healthcare organizations have a better chance of not having their data breached and becoming victim to healthcare fraud.

Eitan Bremler is the co-founder and VP of product management and marketing for Safe-T. He's responsible for overall global Marketing and Product Management activities of Safe-T including product strategy and roadmap, product marketing, positioning, go-to-market and corporate marketing.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months