The last month has seen one HIPAA data breach affecting 150,000 individuals and another where affecting 11 million individuals.
Both incidents have were experienced this month, with the most recent large data breach affecting almost three times the number of individuals as the Community Health Systems data breach of last year, making it the largest healthcare data breach on record, eclipsing the Tricare breach of 2011 that exposed 4.9 million records.
It is obvious that the healthcare industry has now entered a new era, where companies are being attacked by criminals who are looking to illegally obtain data on a monumental scale. Health insurers make attractive victims as they hold the personal information, health data and Social Security numbers of tens of millions of consumers and in many cases, network security measures are not particularly stringent.
In a recent report released by Price Waterhouse Coopers – Managing cyber risk in an interconnected world: key findings from the Global State of Information Security – the value of data is significant. The report states that “A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each.”
What is particularly worrying is that the two mega data breaches to affect the industry this year – the 78.8 million-record breach at Anthem and the 11 Million record breach at Premera – were not just “smash and grab” attacks. The individual – or individuals – responsible for the attacks entered the insurers’ computer systems and had months to take what they wanted.
The past two data breaches should act as a wakeup call for Health Insurers and should prompt them to complete full security audits of their IT systems.
If controls have not been put in place to restrict what the staff are able to download, no IT security monitoring system has been installed to identify malware, or logs are not made of PHI access efforts, it is probable that a data breach may not even be detected if it has happened. Many HIPAA-covered entities are likely to find out that security weaknesses in their systems cannot just be exploited by hackers, but that they have already been exploited and that PHI has already been stolen.
The recent 150,000-record hacking attack at Advantage Dental empasises the importance of robust data security measures. The healthcare provider had put in place an intrusion detection system which was able to identify the improper accessing of PHI. The breach was not prevented, but the damage caused was certainly limited.
The Health Insurance Portability and Accountability Act states that all covered entities should conduct a comprehensive risk analysis to assess all systems, policies and procedures for potential security weaknesses which could be used by hackers and thieves to gain access to Protected Health Information. If a full risk analysis is not completed, it is impossible to deduce whether all security holes have been fixed.
The Risk analysis also cannot be a solitary event, as while all issues should be found – and those risks managed – procedures, policies and IT systems change. The risk analysis must therefore be a continual procedure, and should be conducted regularly to ensure that systems – and the PHI stored in them – remains secure and protected.
It may not be possible to stop all HIPAA data breaches, although actions can be taken to make it more difficuly for criminals to access, view and steal PHI and to limit the harm caused if IT systems are compromised. These actions can also help healthcare suppliers and insurance companies from being struckwith financial penalties and will limit liability in negligence lawsuits.
These measures incorporate:
- Completing a full risk analysis to identify weaknesses
- Reacting on all findings and properly managing danger
- Putting in place an intrusion detection system
- Monitoring, logging and reviewing PHI access
- Configuring IT systems to automatically install antivirus software updates
- Patching all servers and devices used to access PHI as soon as updates are made available
- Routinely scanning internal systems for malware and viruses that might not have been detected
- Training all members of staff on HIPAA Privacy and Security Rules and responsibilities in relation to this legislation
- Training staff on how to find viruses, malware and phishing efforts
- Encrypting all PHI in storage and all PHI in transit
