Are Your Health Care Data Records at Risk?
The sharp rise of data breaches in medical organizations
In November 2021, I wrote an article for the Arvig Blog reviewing how Artificial Intelligence (AI) is transforming health care. One element of computer science that works hand in hand with AI is Big Data.
Using AI technology, Big Data can analyze, extract and manage large data sets that would be too large, complex or time-consuming to deal with by traditional data processing means.
This capability has drastically changed the way health care organizations manage, analyze, and share data. Being able to connect knowledge bases and case studies among care teams and globally for research has shown immense potential in improving patient outcomes, predicting epidemic outbreaks and avoiding preventable diseases, while gaining valuable insights that reduce the cost of healthcare delivery and improve the quality of life.
The significant downside to advances in data collection and use is it puts patient privacy and security at risk. A breach of your health care data could expose all of your personal information, including full legal name, address, email and phone number, social security number, credit card and other billing information, what you have been or are being treated for, and more.
Bad actors are anxious to get your data. According to a 2018 Trustwave report, health care data may be valued at up to $250 per record on the black market. To put this in perspective, the next highest valued record is $5.40. More than 900,000 U.S. companies store health care records, allowing a plethora of entry points for hackers.
Making improvements to the managing and protecting of Big Data is proving extremely difficult.
In 2019, 41.4 million patient records were breached, including a 49 percent increase in hacking, according to the Protenus Breach Barometer. Even throughout the COVID-19 crisis, health care data breaches continued to fester. September 2021 was an especially bad month: 1,147,383 health care records got hacked; 60,236 records were physically stolen; and unauthorized access by insiders caused a breach of 45,639 records.
Even though the largest number is attributed to hacking and related IT security issues, problems don’t all stem from bad actors in a distant location. One major incident was caused by an unsecured laptop stolen from a health care transportation company. Another was a vendor who was supposed to properly dispose of records, but instead carelessly dumped files in an unsecured rubbish heap. Internally, one health care company did not immediately cut off access to a terminated employee, who then accessed the system with ill intent. There are hundreds of examples, with more unique threats emerging. This shows that providers still have a great deal of work to do when it comes to securing servers and remote connections, properly disposing documents, and also educating patients and internal users on how to prevent phishing attacks. Early detection and communicating more promptly about breach notifications is also an issue.
Health care leads all other industries as far as data breaches
The average cost of a data breach for a health care organization is now $9.2 million, up sharply from the $2.2 million average in 2015. A health care ransomware attack today averages $4.62 million per incident. One reason for the meteoric rise is the pandemic pushing 60% more health care operations to the cloud. Rapid operational changes opened up vulnerabilities while security often lagged behind. A distributed, remote workforce also meant tech personnel could not respond as quickly to security incidents and data breaches.
The industry’s primary areas of cyber exposure is in the access, storage and distribution of patient data. To provide comprehensive patient care, collaboration between providers and support organizations has been encouraged, but this increases the frequency of patient data transfers. Sometimes data gets sent to mobile devices or remote locations across wireless networks, adding another layer of security risk.
Regulating health care Information
Extensive regulation is in place to provide control over patient data. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), sets national standards to protect sensitive health information. Rigorous physical, technical and procedural guidelines should protect patient personal health information (PHI). Severe criminal and civil penalties accompany breaches of patient data. There is also an extensive notification network to communicate with patients, public and federal government when there is a breach.
HIPAA requires covered entities to ensure that patient information is secure, accessible only by authorized persons, and used only for allowed purposes. However, HIPAA does not provide any guidelines as to how each health care entity should apply security measures. Regulatory requirements continue to increase, but it is those health care organizations that proactively implement strong best practices who have the lowest risk of incurring a costly data breach.
HIPAA Privacy and Security Rules
HIPAA regulations have the biggest impact on health care providers in the U.S., although other regulations like Europe’s General Data Protection Regulation (GDPR) have an impact on global operations. It’s up to health care providers and business associates to ensure that they’re up-to-date on the latest requirements and select vendors and business associates that likewise are in compliance with these regulations.
The U.S. Department of Health and Human Services outlines the key HIPAA regulations:
- HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
- HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
- The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
As an Amazon Associate, Arvig earns from qualifying purchases.
How to protect health care data
Truly protecting health care data goes beyond what is required by law. Here are a few ways health care organizations and their business associations can do better:
In 2021, the U.S. government enacted a HIPAA Safe Harbor bill that requires Health and Human Services (HHS) to incentivize cybersecurity best practices for businesses required to follow HIPAA requirements. Covered entities can get reduced penalties and fines if they adopt the proper protocols.
Companies can lower their exposure from threats by analyzing security risks more than the required once per year. Having an incident response plan, should something go wrong, is encouraged and may help businesses avoid a far worse escalation.
Education doesn’t stop at employees receiving training on HIPAA compliance and cybersecurity risks. To better protect data, patients also need to understand and learn how to avoid phishing scams and other ploys to steal PHI.
IT best practices need to be in place, such as strong password security and multifactor authentication; creating regular, secure backups (including off-site); and data encryption while in transit. IT should monitor network traffic and implement regular scans for vulnerabilities.
Big Data greatly enhanced research to advance patient treatment and find cures, combing through and organizing extremely large data sets. This data does not require a complete set of personal information to be effective. The concept of anonymizing data before it is shared is not new, but policy makers still struggle with how to effectively strip personal information without risk of PHI being re-identified. Also, such use must comply with global data security rules. So, while one method for protecting the privacy of patients is to anonymize information before sharing, there is much policy work to be done before data can be distributed on a widespread basis.
Health care entities have a complex job—understanding and complying with international, federal, state and local regulations, warding off class action lawsuits and paying off ransom demanded by bad actors. Prevention is the key to mitigating attacks before they happen. Health care companies must allocate a budget and invest in effective solutions for their business and patients.