As if folks in the healthcare industry didn't have enough to worry about, it's becoming apparent that medical records are increasingly hot items on the black market. As a result, cyberattacks on healthcare organizations and insurance companies, as evidenced by the recent breach of 78.8 million records from insurance giant Anthem, are on the rise.
That's the bad (OK, really bad) news. The good news is that even small medical practices can put cost-effective safeguards in place in order to significantly mitigate the risk of their data ending up on the black market.
Why Medical Records Are So Valuable To Criminals
It comes down to simple economics. All too often, medical records are both easier to steal (due to inadequate technical safeguards) and can be sold at significantly higher prices than, say, credit card information (sometimes for even 10 to 20 times as much).
- Slower detection: Credit card companies, in many cases, pick up on fraudulent activity and can deactivate cards relatively quickly after theft is discovered. It's much harder to detect and clear up fraudulent insurance claims or purchases made using stolen medical records.
- Medical purchases: Patient data can be used to fraudulently purchase drugs and medical equipment that can in turn be sold on the black market.
- Insurance fraud: Criminals can open false claims to net money from insurance companies.
- Wide range of data: Medical records include a wide range of personal information that can be used for identity theft.
What Can Ordinary Practices Do About It?
The short answer? Get serious about cybersecurity. But we get it: a call to "get serious" may sound frustrating, especially to smaller practices. If giant companies like Anthem and hospital chains around the country haven't been able to ward off attack, how can security be attainable for smaller groups with considerably less revenue?
Our experience providing IT services for small and mid-sized practices has convinced us that while cybersecurity does require investment, that investment does not have to break the bank. We've successfully helped doctors' offices navigate the waters of implementing necessary technical safeguards without blowing up their budgets by helping them pair the right, cost-effective technology with their actual needs. Here are three tips toward a sustainable cybersecurity strategy that we can offer from our experience:
- Know your risks: Risk assessments are required for HIPAA compliance and Meaningful Use. It's important for all parties within your organization to understand exactly where EPHI (electronic protected health information) is created, stored, and accessed, and where it may be at the most risk. Only then can smart, cost-effective decisions be made about which safeguards to implement.
- Beware of the bare minimum: Sometimes, the bare minimum for maintaining compliance isn't enough. This is especially the case with encryption. Encrypting EPHI at rest (i.e., on internal servers not openly accessible to public networks) is an "addressable" safeguard per the HIPAA Security Rule. Many practices take this as a free pass not to encrypt data at rest. Unfortunately, though, hackers have become much more sophisticated than when the HIPAA rules were first drafted, meaning that unencrypted data is by definition data at risk. Need proof? The Anthem breach occurred for precisely this reason: the company's network was "secure" (i.e., set up not to allow unauthorized traffic), but their data was unencrypted.
- Cultivate awareness among your staff: Awareness of risk to EPHI and of even low-tech means of protecting it (locking office doors, using complex passwords, securing tablets and laptops with access to EPHI, etc.) is honestly one of the most effective safeguards against cybercrime. So, make sure you A) impress the seriousness of cybersecurity best practices on your entire staff, and B) provide training regularly.
These steps can get small and mid-sized practices well on their way to safeguarding patient data while maintaining a sustainable foundation for practice growth. If you have questions, or would like to talk through how we can help your practice craft a technology strategy to help with HIPAA compliance and efficiency of care, don't hesitate to contact us!