The Healthcare industry has become a hotspot for cybercrime due to the wealth and value of the knowledge held in Electronic Health Records (EHRs). “With its storehouse of patient personal information and financial data, including credit card numbers and health insurance identification numbers, your practice is a tempting target for those who want to use or sell this type of data – and the criminals need only one weak link, such as an under-secured computer or portable device, to gain access.”[1]
Laws governing the privacy of patient’s healthcare records are contained in the Health Insurance Portability and Accountability Act (HIPAA). They require healthcare organizations to implement administrative, physical and technical safeguards to guarantee integrity and privacy of their patient’s records. Despite the rigorous rules defined by HIPAA, Healthcare providers are subject to more and more attacks. Compliance is not enough to ensure the safety of EHRs.
The value of a credit card in the underground market is around $1 USD, but when combined into a full identity profile, to fair value of that same card is dramatically increased to roughly $500. [2] This makes EHRs a hot item for cyber criminals.
Financial services and retail organizations have learned over the years the true costs of data breaches, and have taken steps to help ensure security. In 2012, HHS’ Offices for Civil Rights has entered into several major settlements of HIPAA enforcement actions. Major healthcare providers have settled their data breach cases for between $1.5 and $1.7 million dollars. [3] A cardiac surgery practice in Phoenix settled a case for $100,000 with OCR for having an appointment calendar publicly accessible over the internet. State attorneys have pursued smaller cases, which have resulted in over six figure settlements. Smaller physician practices are at risk for lawsuits and should take care and have extensive safeguards to protect their patients.
This is clearly a challenge that must be overcome by healthcare organizations that traditionally has not been subject to this threat, and has not had to accommodate for cybercrime. Risks that need to be addressed as more and more information is at risk to cybercrime include [2]:
- Securing enrollment to ensure that first-time users to a portal are who they say they are before granting access to various applications
- Securing access to online portals to prevent the loss of patient’s personal and healthcare information
- Securing access for physicians to clinical applications that contain patient data
- Securing access for payees and other third parties to sensitive data required to perform their job
- Securing the web session both before and after login
- Educating employees on the risks of phishing and malware
Contact your healthcare attorney to ensure you are HIPAA-compliant and what steps you should take once aware of a potential breach of information. Also, contact your IT provider on better ways to technically safeguard your practice. If you have any questions regarding cyber security, please contact your BiggsKofford representative at (719) 579-9090, and we will be happy to serve you.
Sources:
[1] http://www.threattracksecurity.com/getmedia/c2723f16-71de-44ec-8b31-e5d2984833bb/business-antivirus-white-paper-healthcare-security.pdf.aspx
[2] http://www.emc.com/collateral/white-papers/h12105-cybercrime-healthcare-industry-rsa-wp.pdf
[3] http://www.physicianspractice.com/blog/why-your-medical-practice-may-have-exposure-cybercrime
Article written by Nick Phillips, Associate at BiggsKofford.