Cybersecurity Concerns in Health Care
Health care systems are eager to adapt to newer technology and widespread network options, all in the name of giving patients the best possible care. However, this comes with a price: more outlets for hackers to breach valuable data.
Although data breaches in the retail and banking sectors have received massive coverage, the health care sector has not received the same kind of attention.
Consider that in 2017:
- There were 477 health care breaches reported to the U.S. Department of Health and Human Services or the media (nearly 5.6 million patient records were affected).
- Augusta University Medical Center was hit with two phishing attacks,
- A UC Davis Health employee’s choice to respond to a phishing email with login credentials compromised health information for nearly 15,000 patients.
As technology evolves, so do hackers. In 2015, insurance group Anthem suffered what was believed to be the largest breach of a health care company to date: more than 37 million patient records —including names, Social Security numbers, birthdays, addresses, email and employment information, and income data — were exposed.
Medical data is big business as records can fetch top dollar on the black market — up to $500 per patient. The information in stolen medical records is used to buy medical equipment or drugs — either of which can be resold — or to file bogus claims with insurers. Further, medical records lack the kinds of safeguards as credit cards or banking materials as they cannot be canceled.
Whether used in a secure or open location, mobile devices such as smartphones and tablets can offer hackers backdoor access to a medical group’s network. Medical devices that use the internet, network, or Bluetooth connectivity have proven revolutionary for the health care industry, but because they may not have been network-ready originally, they do not have the kinds of security protections to ward off hackers.
Further, a rise in health care service consolidation through mergers and acquisitions means more medical records are being moved around, shared and reviewed — sometimes on “legacy” systems that were never designed or intended for digitization — offering ripe moments for hackers to seize them.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was published on February 20, 2003. The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their EPHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services (HHS) and issue a notice to the media if the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported using the Office for Civil Rights’ (OCR) web portal (the OCR only requires these reports to be made annually). Breach notifications should include the following information:
- The nature of the EPHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the EPHI or to whom the disclosure was made (if known).
- Whether the EPHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
Breach notifications must be made without unreasonable delay (in no case later than 60 days following the discovery of a breach). The covered entity must inform the individual of the steps taken to protect from potential harm, including a description of the efforts to investigate the breach and the actions taken to prevent further breaches and security incidents.
However, compliance is not enough. HIPAA incentivizes health care providers to adopt secure networks by imposing large fines on providers who suffer breaches of protected health information due to a cyber attack. The cost and consequences of a breach fall on the entity, rather than the attacker. Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million for violations of HIPAA’s Privacy and Security Rules. In addition to massive fines and penalties for violations, the settlement process and implementation of a corrective action plan are extremely costly, time-consuming, and stressful.
How can the health care industry protect itself?:
- Vendors should install security patches on a more widespread basis for machines that record data such as CT scanners.
- Old or unpatched operating systems should be upgraded so that medical facilities are less vulnerable to attacks.
- Networks should be segmented, or divided into subnetworks, to make them more secure.
- Health care groups must implement bring-your-own-device policies — such as allowed/banned apps and acceptable-use rules — for mobile devices like smartphones and tablets.
- Increase employee training to reduce the concern that employee negligence will contribute to or result in a security breach.
- Data should be backed-up regularly, encrypted, and safeguarded with multi-factor authentication.
Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Tax practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.View All Posts by Author ›
- Accountable Care Organizations
- Digital Assets
- News & Events
- Health Insurance Exchange
- Affordable Care Act
- Fraud & Abuse
- Labor Relations
- Health Care Reform
- 6th Circuit Court of Appeals
- HITECH Act
- Did you Know?
- Electronic Health Records
- Employee Benefits
- Department of Labor
Best Lawyers® 2020
Congratulations to the attorneys of the Health Care practice group at Foster Swift Collins & Smith, PC for their inclusion in the Best Lawyers in America 2020 edition. Firm-wide, 42 lawyers were listed. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation and as lawyers are not required or allowed to pay a fee to be listed; inclusion in Best Lawyers is considered a singular honor. Health Care practice group members listed in Best Lawyers are as follows:
- Gilbert M. Frimet, Southfield
- Richard C. Kraus, Lansing
- Gary J. McRay, Lansing
- Jack A. Siebers, Grand Rapids/Holland
- Jennifer B. Van Regenmorter, Holland
To see the full list of Foster Swift attorneys listed in Best Lawyers 2020, click here.