McAfee Labs dubbed 2014 "The Year of Shaken Trust." At the time, medical records were 10 to 20 times more valuable than a credit card number because they offered copious amounts of sensitive personal data.
In the time that's followed, great steps should have been taken to secure electronic protected health information (ePHI). Unfortunately, that's not the case.
On the contrary: healthcare data security breaches have become more common in recent years. In one incident, 3.7 million patient records were accessed. In another, a Southern California hospital was forced to pay a $17,000 ransom to have its network restored. The list goes on and on. In 2016 alone, the healthcare industry averaged nearly four data breaches per week. Over the last three years, the number of major HIPAA data breaches for which cyber attackers are responsible has increased by 300 percent.
With healthcare data at such high risk, it's a crucial time for web form security, HIPAA compliance, and other healthcare IT measures.
What's Happening with Healthcare Data Security?
A single medical record offers countless black market opportunities, from prescription abuse and insurance fraud to credit card and identity theft. Access to ePHI is the hacker's jackpot. Healthcare organizations are prime targets for cybercrime because they often lack the sophisticated backup systems that are common in other industries.
That's why the Brookings Institution has predicted that one in 13 patients will be impacted by provider data breaches by 2019, in part because federal mandates forced so many practices to adopt electronic health records (EHR) before they were ready to adequately invest in IT security. According to the report, it's not uncommon for facilities to share large datasets because they lack the time and resources to filter out who should have access to what patient information.
How Do HIPAA Data Breaches Happen?
Most healthcare data hacks begin with an unsuspecting employee doing something as simple as opening an email attachment from a legitimate-looking address or viewing a patient record over an unsecure network. In one experiment, IT security consultants filled patient portal form fields with malicious code to be triggered when viewed by a doctor or nurse. In another, the same team hacked a computerized medicine dispensary by dropping off malware-filled USB sticks labeled with the hospital's logo.
A lack of mobile security is also to blame: a 2016 study found that eight in 10 Google Play diabetes apps lacked privacy policies. Around the same time, more than 80 percent of surveyed healthcare employees admitted to being concerned about mobile cyberattacks involving ransomware, malware, and blastware.
What Can You Do to Secure Your Healthcare Data?
The first step is to choose your vendors carefully. Web forms must be HIPAA compliant, privacy policies should be in place, and digital tools should meet stringent security standards. Healthcare institutions must understand that their patients' data is incredibly valuable. At the absolute minimum, facilities must introduce the same security measures now protecting other sectors.
Bottom line: It's up to each healthcare organization to take steps to ensure its ePHI stays secure. Instead of assuming vendors have adequate security measures in place to safeguard medical information, be prepared to ask questions such as these:
• What security measures, such as SSL and advanced password protections like 2FA, are available for online forms?
• How is information protected as it flows from one user to another?
• How are emails and web traffic encrypted?
• How is "at rest" data protected?
• What steps are you taking to ensure you remain HIPAA compliant?
The future of healthcare data security is dependent upon the answers to these issues.
Author bio
Chris Byers is the CEO of Formstack, an Indianapolis-based company offering an online form and data-collection platform. Prior to Formstack, Byers co-founded an international nonprofit that was built via remote relationships among partners in Europe, Africa, and the United States.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.