It just happened again. And again. A lot of personal data was just lost or stolen. There goes your name, birthdate and social security number. Your email address and phone number.
Every five minutes, every day of the week, nearly 20,000 data records are lost or stolen. In 2016, more than 15 million people had their identities stolen. All told, approximately 41 million Americans have had their identity stolen.
It’s bad enough when your personal information is lost or stolen, but it’s a very personal invasion of privacy when the same thing happens to Protected Health Information.
Healthcare information breaches
Cybersecurity breaches or just plain carelessness leading to leaks of health information are rampant in the healthcare industry. Whether the breach happens at the doctor’s office or at a hospital, patients must expect their private information will find its way to the dark web.
As I write this, there are 377 healthcare data breaches actively under investigation by the U.S. Department of Health & Human Services. In 2015, the department reported the top 10 breaches affected 111 million people in the U.S. Nine of the 10 breaches originated when computer systems were hacked. The tenth was a stolen laptop.
A 2017 study by Accenture found 26 percent of people in the U.S. have had their private health information stolen. The highest percentage of breaches occurred at hospitals, urgent care clinics and pharmacies. Ironically, 88 percent of healthcare consumers continue to “trust their physicians or other healthcare providers to keep digital healthcare data secure,” according to the study.
PHI ranges from the patient’s name to the IP address of the computer they use. And PHI may be held in digital or analog forms by hospitals, specialists, primary care doctors, business associates and others. The threat of that information getting exposed by employee carelessness or snooping, or malicious hacking is very real.
How “it” happens
Information security threats are internal and external and can be malicious or simple carelessness. They range from hackers exploiting IT system flaws to an unencrypted laptop carrying patient records stolen from an employee’s car. A major challenge facing healthcare organizations is that PHI is stored in many places.
Healthcare organizations look for external vulnerabilities to understand where IT security defenses don’t exist or could be compromised. They explore internal threats, as well, knowing every employee—at any level—is a potential security risk.
In 2016, 43 percent of PHI breaches were caused by healthcare workers (PDF). About half were accidents, leaving PHI out in the open on a desk, for example; others were employees intentionally prying into patient records just because they could.
Sharing passwords, lost or stolen laptops, unlocked computers, disgruntled current or former employees or those who are simply curious are potential security risks. The U.S. Department of Health and Human Services, Office of Civil Rights tracks every healthcare related data breach in the country. The breaches range from external system hacks to unauthorized records access. In general, much of the unauthorized access to data can be prevented with internal, IT-related safeguards.
Which brings us to the issue of health system internal security. Many large and small providers simply don’t have the infrastructure in place today to monitor staff access to patient records at all times. They aren’t aware of employees who access patient information at times when they shouldn’t or when employees should have limited access to patient information because of their role in the organization.
Why “it” happens
Money. If you remove plain carelessness from the PHI-loss equation, money is frequently the motivation behind stealing PHI. Hackers often prefer PHI over credit card or social security numbers because there’s so much information available in PHI, which makes it valuable. Hackers exploit and sell enough health information to make the work lucrative.
They know the basics:
• Name
• Age
• Gender
• Address
• Employer
• Health insurance provider(s)
They also may get:
• Social security number
• Bank account number(s)
• Credit or debit card numbers
• Phone numbers (patient, relatives, friends)
• Current and past health conditions and treatments
The information is worth anywhere from $50 to $1,000 for a complete record, according to different experts. The discrepancy may have to do with the amount of health data hackers have already stolen: In this case, less is not more. Medical-data hacking is so commonplace it’s created a glut of PHI on the dark web, causing prices to drop considerably.
Three ways to protect PHI
Provider offices, hospitals and health facilities can limit exposure by working with an expert to monitor patient data access by employees. Discrete access points can be immediately captured and sent to the customer in real-time to act on the information and, hopefully, stop the leak before it starts.
My three tips are listed separately, but are really part of a single overarching strategy to help limit internal and external data leakage:
1. Implement IT programs to monitor who accessed what PHI and when. It’s important to track access to understand when a breach first occurs, by whom and over what length of time. One hospital found that for three or more years—they really couldn’t tell how long—PHI was accessed by employees who shouldn’t have had the right to view it.
2. Launch data-security measures to restrict PHI access determined by the employee’s role in the organization. Members of the billing office should have much different and much less access PHI access compared to those who provide care. The hospital mentioned above didn’t know who had been looking at PHI, except to say the breach included “employees who were not intended to have access to patient information.” An answer like this only serves to weaken patients’ confidence in the healthcare organization.
3. Build or buy IT security solutions to lessen the chance a data hack can be accomplished externally. Healthcare organizations need to take a look at the vulnerability of their IT systems through the eyes of a hacker. Check for any EHRs or databases that can be accessed from outside the organization’s walls. Work with the IT department or an outside security specialist to understand system weaknesses and then correct them. Make this an ongoing project for the organization and commit to regular testing.
Protecting PHI isn’t one person’s job. It takes an entire organization to ensure PHI is protected today and in the future. As more and more information continues to move to databases, safeguarding PHI will require even more diligence. Ongoing training for all employees, regular IT security analysis and systems probing, and long-term dedication all make a difference when it comes to protecting patient data.
Kevin Lathrop is President of TriZetto Provider Solutions, a Cognizant Company, which is one of the nation’s largest revenue cycle management organizations, offering patient access, claims and denial management, contract management and patient financial solutions.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.