Millions had their personal credit and debit card information stolen by hackers during the infamous cyber attack on the Target Corporation last year. This could have been prevented had Target’s decision-makers been vigilant with security measures. What if something like this were to happen to patients in health care facilities?
Data breaches in the health care sector
Breaches and infiltration attempts are widespread in the financial and retail sectors, but the health care community is not exempt from similar vulnerabilities. Health records contain protected health information (PHI), like names, dates of birth, addresses, Social Security numbers, and health insurance details. Hackers profit off this data, which can end up on a black market and be used for fraud. Health data breaches and theft are often the result of weak IT security systems and inexperienced IT security staff.
In one example of a recent breach, a server at the Montana Department of Public Health and Human Resources was attacked, resulting in the potential compromise of 1.3 million records.The hacking may have started as early as July 2013, but it took nearly a year for officials to confirm, according to a press release by the Montana Office of Public Instruction.
Another recent example? NRAD Medical Associates, a radiology and multi-specialty practice in New York, had the protected health information (PHI) and billing details of 97,000 patients stolen in April. The company claims an internal radiologist found his way around the health care facility’s security defense. NRAD management found no evidence that the compromised data was used maliciously. They have since bolstered security.
Data security, in transit, or at rest, must be a top priority
Any time business stakeholders, employees, suppliers, and customers share, add, or remove information there is a risk of data loss. The health care sector is a fast-paced environment where information can move from doctor to doctor, doctor to patient, patient to doctor, and so on. While these movements are necessary, HIPAA’s Security Rule is clear: proper physical, technical, and administrative security measures must be in place to protect patient privacy and ensure the security of patient information.
Security experts have reason to believe that health care providers have not been investing enough in security and other IT needs. This has resulted in increasing challenges not only on HIPAA and meaningful use compliance, but also with security itself. Breach after breach across all sectors is raising the alarm for tighter security and more resolute vigilance.
Given government’s recent move toward health care reform, the need for improved security is even more critical. Cloud and managed services providers can look forward to increasing business opportunities as health care providers look to push as much of the compliance workload off of their resource-constrained IT departments as possible. Electronic health records (EHR) vendors need to increase the security of their programs to ensure PHI is exposed only to authorized personnel with no opportunity for them to remove that information.
On the part of health care facility owners and administrators, a genuine risk analysis — including a thorough reassessment of past, present, and perceived threats — will help create a risk management system that meets their unique needs. This will only be effective if all concerned are informed of their responsibilities and the consequences of their actions.
Finally, best practices in an automated environment still include the fundamentals. It is vitally important to encrypt data, maintain strong passwords and update them on a regular basis, use rigorous firewall ruleset, install reliable anti-virus tools, limit network access, and control mobile devices. These tried-and-true IT practices are the foundation of a fail-proof security culture.