Medical Records are Prime Hunting Grounds for Hackers

In 2016 alone, the healthcare industry averaged nearly four data breaches per week.

Hackers love medical records. After all, they’re loaded with personal information that can be used to steal identities, score prescription drugs, and hold healthcare organizations hostage. In 2014, hackers found medical records to be 10 to 20 times more valuable than a credit card number because they offered copious amounts of sensitive personal data. So it’s no surprise that healthcare data security breaches have become common.

In one incident in early 2016, Hollywood Presbyterian Medical Center in Southern California was forced to pay a $17,000 ransom to have its network restored after hackers broke in. In another cyberattack last summer, hackers compromised records pertaining to 3.7 million patients, plan members, food and beverage customers, and vendors of Banner Health in Phoenix. In 2016 alone, the healthcare industry averaged nearly four data breaches per week, according to data compiled by the U.S. Department of Health and Human Services.

Healthcare data is at high risk, which means it’s a crucial time for web form security, Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance, and other healthcare IT measures.

What’s Happening with Healthcare Data Security?

Healthcare organizations are prime targets for cybercrime because they often lack the sophisticated backup systems that are common in other industries. While backing up data does not prevent cybercrime, it does allow organizations to remain functional in the face of attacks. If a healthcare facility’s main data system is hacked, having a backup server or cloud solution will provide an uncompromised data source and avoid a complete shutdown.

The Brookings Institution has predicted that one in 13 patients will be impacted by provider data breaches by 2019, in part because federal mandates forced so many practices to adopt electronic health records (EHR) before they were ready to adequately invest in IT security. According to the report, many health facilities allow full employee or provider access to patients’ medical information and share large datasets of this information with business associates because they lack the time and resources to limit shared data or regulate who has access.

How Do HIPAA Data Breaches Happen?

Most healthcare data hacks begin with unsuspecting employees who do something as simple as opening email attachments from addresses that look legitimate—thereby giving hackers access to their email accounts and contacts—or viewing patient records over unsecure networks—making data accessible to others on the same network.

In one experiment, IT security consultants demonstrated how unsuspecting users can contribute to data breaches. The consultants hacked a computerized medicine dispensary by dropping off malware-filled USB sticks labeled with the hospital’s logo that were subsequently used by hospital staff. In another, the same team filled patient portal form fields with malicious code that was triggered when viewed by doctors or nurses.

A lack of mobile security is also to blame. A 2016 study found that 80 percent of diabetes apps available through Google Play lacked privacy policies, which are vital for helping organizations identify who requires access to confidential data, how data should be secured, and procedures for removing data once it is no longer needed by the company. Around the same time, more than 80 percent of surveyed healthcare employees admitted to being concerned about mobile cyberattacks involving ransomware, malware, and blastware.

What Can You Do to Secure Your Healthcare Data?

Choose vendors carefully. Ensure that partners offer HIPAA-compliant web forms. A business associate agreement should be in place with online form partners (and any other third-party vendors). 

Healthcare organizations also should follow HIPAA security standards for the collection of electronic protected health information (ePHI). In addition, privacy policies should be in place, which means all employees know and understand how to lawfully handle ePHI.

Finally, digital tools should meet stringent security standards, such as limited access, data encryption, and automatic session timeouts. Healthcare institutions must understand that their patients’ data is incredibly valuable. At the very least, they need the same security measures now protecting other sectors.

Bottom line: It’s up to each healthcare organization to take steps to ensure its electronic patient information stays secure. Instead of assuming your vendors have a variety of security measures in place to safeguard medical information, be prepared to ask questions such as these:

What security measures are available for online forms? Online form vendors should offer HIPAA safeguards in place, such as advanced data encryption, user-level permissions, audit logging, and dedicated security maintenance. Medical data is highly sensitive, so every possible safeguard should be in place to keep it out of the wrong hands.

How is information protected as it flows from one user to another? Find out what devices an organization uses to view and share data and how those devices are protected. Also. Determine if there are any data access restrictions in place to limit who can view certain information.

How are emails and web traffic encrypted? Ensure information transferred via e-mails and web browsers is protected by strict security measures, such as SSL browser security, TSL data encryption, and PGP email encryption.

How is “at rest” data protected? Find out if data is housed in a secure database that can only be accessed via strong authentication credentials. Also, determine if activity logging is in place to monitor who accesses the database.

What steps are taken to ensure continued HIPAA compliant? Be sure vendors are dedicated to maintaining HIPAA compliant status. Ask how often they monitor and update security measures, as well as when they last reviewed their HIPAA compliant risk analyses.

The future of healthcare data security is dependent upon responses to these issues. Healthcare providers can support data security by protecting sensitive data and adhering to HIPAA requirements.

Chris Byers is CEO of Formstack, Indianapolis, Ind.