79 million records. That’s how many records hackers accessed in the Anthem Inc. hacking incident of 2015. Since then, there have been many instances of hackers stealing millions of records.
Research indicates hacking is the #1 cause of data breaches in the healthcare sector. Additionally, many of the hacking incidents in the healthcare industry from 2014-2018 took place over months or years before they were found.
This post includes information for the medical industry about healthcare data breaches, including:
- What is a data breach in healthcare?
- How do healthcare data breaches happen?
- Why is data protection important in healthcare?
- What’s the cost of healthcare data breaches?
- The top 5 solutions for a healthcare data breach.
- Benefits of adopting a cybersecurity protocol in medical practice.
What is a data breach in healthcare?
The illegal use or disclosure of confidential health information that compromises the privacy or security under the privacy rule poses a sufficient risk of financial, reputational, or other types of harm to the affected person.A data breach, as defined by the United States Department of Health and Human Services
How do healthcare data breaches happen?
According to the United States National Library of Medicine National Institutes of Health, the two major categories of data breaches are:
- Internal data breaches
Internal data breaches happen when someone within the organization causes the breach.
- External data breaches
External data breaches happen when someone from outside the organization causes the breach.
Within these two categories are different ways in which data is breached.
For example, internal healthcare data breaches can happen through:
- intentional abuse of privilege
- disposing of data improperly
- unintentionally sharing confidential information with an unauthorized person
On the other hand, external healthcare data breaches can happen through:
- Phishing attack
- Malware attack
- Ransomware attack
- Credit card fraud
- Insurance card fraud
Why is data protection important in healthcare?
Healthcare data has some of the most sensitive data. With all the information stored in healthcare databases, such as personally identifiable information, health insurance details (like Medicaid ID numbers), and medical histories, a hacker has everything one needs to steal a person’s identity and make the patient’s life miserable, all while making the clinic pay handsomely for it.
According to the Center for Internet Security, Personal Health Information (PHI) is valued more highly on the dark web than credentials for credit cards or other Personally Identifiable Information (PII), which is why data stored on medical databases are so irresistible to cybercriminals.
The Center for Internet Security states that criminals often use the data to:
- target patients with scams that focus upon the victim’s conditions
- offer false settlements
- file fictional insurance claims, so they can buy and resell medical supplies or equipment
- access prescriptions for personal use or resale
What’s the cost of healthcare data breaches?
- Patient costs
In 2017, Accenture’s study on data breaches in the healthcare industry revealed that over 25% of United States residents had been affected by a healthcare data breach. According to a survey from Accenture, many of those patients were victims of medical identity theft and paid around $2,500 in costs.
According to the United States National Library of Medicine, data tampering can lead to failed treatment that can cost patients their lives.
- Clinics cost
HIPAA fines depend on multiple factors, one of which is the organization’s persistence in non-compliance with HIPAA regulations. When non-compliance is a historical problem for the clinic, multi-million dollar fines can be the result.
HIPAA enforcement has been increasing for the last 12 years, as have the penalty amounts. For example, in 2018, a record-breaking monetary penalty of $16 million was demanded of Anthem Inc for their 2015 data breach of 78.8 million records. The fine was used to resolve non-compliance with HIPAA Security Rule, which OCR found when investigating the breach. 2018 itself was a record-breaker, with fines totaling $28,683,400.
While the $16 million fine for Anthem Inc was the largest in history, the hefty fines have continued. In 2021, OCR fined Excellus Health Plan $5 million for their breach.
OCR isn’t the only organization that can fine healthcare organizations for HIPAA violations. State attorney generals can also levy fines. According to HIPAA Journal, penalties start at $100 per violation, with the maximum fine being “$25,000 per violation category, per year.”
Lastly, healthcare organizations’ brand images can be destroyed, and that can lead to lost business.
Top 5 solutions for avoiding a healthcare data breach:
There are many steps that clinics can take to avoid a data breach. Below are five of the most crucial steps a practice manager can take to ensure the practice can avoid a healthcare data breach.
- Security programs
Experts recommend using cybersecurity for devices, networks, and apps.
Hiring enough knowledgeable cybersecurity staff to keep a practice protected is one Proactiv solution to data breaches.
Protecting patient information with pins or passwords and limiting those who have access to the passwords to nurses and doctors is highly recommended. In addition, insurance companies or business partners should also ensure only those who should have access to data have access.
Changing pins and access codes often is another solution to data breaches.
- Data encryption
One way to prevent a healthcare data breach is to encrypt data. When data is encrypted, the person reading it needs a key to decipher it, so if a person were to hack into the clinic’s network, they would not be able to read the information.
- Continued employee education
According to The University of Chicago, Illinois, organizations should teach employees to identify phishing scams, including refresher classes.
In 2016, 23% of healthcare breaches happened due to staff not disposing of records properly. Therefore, educating staff can be highly beneficial for cybersecurity purposes.
Frequent meetings for discussing network security and plans for strengthening it are helpful.
- Organizations should limit the number of access points to the system to deter criminals
To ensure patients have access to the internet, hospitals and clinics can create a Wi-Fi network specifically for patients, so they can’t access sensitive information.
- Clinics should use EMR instead of paper records.
The United States National Library of Medicine found Electronic Medical Records (EMR) to significantly lower data breach risk than paper records. There are many ways to backup data so, if there’s a breach, the practice can avoid data loss and operate as usual.
Benefits of adopting a cybersecurity protocol in a healthcare practice
While some benefits might seem obvious, like “to protect the practice from hackers,” there are other benefits as well. For instance, maintaining HIPAA compliance is benefit practices receive when they implement cybersecurity protocols. Another is the protection that cybersecurity affords.
Practices can protect:
- The patients’ information
- The patients’ well-being
There is less risk of medical error, which is a potential outcome of healthcare data breaches. Under specific circumstances, many electronic medical devices can be accessed by hackers, which allows the hacker to operate the devices. Some of these devices are life-saving devices that, if misused, could cause death for the patient.
The practice’s brand image, their paycheck
If the practice gets a bad reputation for leaking information and patients stop coming in, the employees and shareholders will not get paid.
Related Article – Telehealth is biggest threat to healthcare cybersecurity, says report
Cybersecurity is a must in any medical organization and for its business partners. Without it, many people and businesses are made vulnerable to fiscal and physical threats. Digitization in the medical industry has afforded healthcare employees many previously impossible capabilities. Still, for digitization to help with electronic medical records, telemedicine, and keep patients alive, cybersecurity protocols must be adopted, and employees must be trained and retrained. The costs can be high- millions of dollars in fines and, in some cases, death. For more information Contact US!