Cyber-attacks and data theft in almost every industry are a weekly occurrence these days. Healthcare is no exception. Early this year, Blue Cross / Blue Shield was breached, an attack that affected over 80 million people. Smaller in numbers but no less devastating, the UCLA Health System leak this summer exposed the private health information (PHI) of 4.5 million insured persons. Hackers made off with patient names, addresses, social security numbers and in some cases detailed medical records.
These high-profile breaches create HIPAA violations, resulting in lawsuits, settlements and fines. In addition, the companies often end up paying for credit monitoring and repair for victims whose identities were stolen.
Recently Becker’s Health IT & CIO Review published a list of the 15 most expensive fines and settlements for healthcare data breaches. Surprisingly, not one of these culprits was a high-tech cyber attack. So what were they?
Most of the “top 15” fall into three broad categories.
A careless whisper
One broad category involved companies with outdated or careless practices for handling patient data.
In two of the cases, for example, major pharmacy chains disposed of patient PHI by throwing paper records in the trash dumpsters. These weren’t secure disposal bins – they were outside the stores, accessible to anyone.
An $800,000 fine was assessed to a doctor that left the medical records for 8000 patients in his unlocked car, in his driveway. Another fine involved a major New York health plan that returned photocopiers to the vendor without wiping the memory. (The machine contained the scanned health records for 350,000 patients.) Another provider simply “lost” the PHI for almost 200 patients, with no way to know who may have found them.
Regardless of the reasons, these careless, low-tech data leaks affect more people than most cyber-attacks.
Hiding in plain sight
Another category stems from storing healthcare data in readable format on devices that thieves can walk away with. That’s right, five of the 15 settlements involved theft of devices containing millions of unencrypted patient records. These included laptops, portable USB sticks and even removable server disks. And some of the thieves were employees.
For example, Blue Cross / Blue Shield had 57 unencrypted hard drives stolen at once – and none of them was encrypted. (Same company as in the 2015 breach – but three years earlier.) The other cases involved fewer or different devices, but the results were the same. Thieves got away with easily readable patient data.
Whether it’s traditional disks, mobile devices or even cloud storage, strong encryption can make your data useless to anyone without the key.
IT does figure into it, but it isn’t all networks and firewalls
IT practices also figure into healthcare data leaks, but not always due to lax firewalls or network security. Four of “top 15” were the result of insufficient – or nonexistent – access control lists on patient data.
These IT-related leaks included:
- A hospital that stored 20,000 patients’ records online, without requiring a login for access.
- A university’s health plan whose lax access control let unauthorized employees view patient records.
- A provider that didn’t sufficiently verify user identity before allowing access to its PHI database.
- An IT department that removed a network server – and with it, all restrictions to users accessing PHI data.
Vulnerabilities are both high and low tech
Some “non-cyber attack” breaches don’t fall neatly into these categories. It’s clear, though, that we have to focus as much on our local environments as on cybersecurity. To protect PHI, this means:
- Encrypting patient data on computing and storage devices
- Limiting local storage of PHI
- Retraining employees on disposal of paper medical records and other media
- Putting access control lists in place for all records storage locations
- Performing regular HIPAA compliance audits for PHI
Are you in a healthcare-related industry? What extra measures do you take to ensure HIPAA compliance? Tell us about it in the Comments section.