Security breaches have strong foot on healthcare industry this year. Nearly half of the organizations in healthcare were hit by security threats at least once this year and it is expected to increase in the forthcoming years.
The security breaches under HIPAA Violations could be classified as
Hospitals / Clinics pay less attention towards OWN devices used by the physicians with PHI in it, which in turn if stolen or missed, becomes a very big security threat. Another kind could be using outdated software which obviously led to very high risk of getting affected by malwares. Few hospitals try to shrink the money spent for security, which in turn gets their high bills to pay as penalty.
The following are few instances happened in 2014
Stealth of Devices
State of Massachusetts billed $100,000 to Beth Israel Deaconess since one of its physicians failed to follow encryption policy and his laptop been stolen with 4000 patients information.
Unencrypted backup tapes stored in hospital premise of “The Women & Infants Hospital of Rhode Island” was stolen which contains patient names, date of birth, SSN, ultrasound image and examination dates. As a result WIH (The Women & Infants Hospital) have to pay civil penalty to Massachusetts Attorney General.
Eight computers with unencrypted data of patients’ SSN, demographics data, billing information including medical diagnosis were stolen in Sutherland healthcare solutions. This breach affected 340,000 patients approximately.
San Juan-based insurance holding company, Triple-S Management Corp received a bill of $6.8 million as penalty from HHS for sending mailed letters holding Medicare numbers visible from outside to their Medicare Advantage patients.
A staff member of Virginia based health system, accidently donated CDs containing PHI to an art program for children which made patient’s DOB, SSN and demographics data public.
Dignity Health Mercy oncology center patients’ diagnosis, medications, current therapy and treatment plans are viewable in search engines like Google when third party vendor posted a link to their website containing transcribed physician’s progress notes.
Being a new security threat with new different viruses introduced, it’s inevitable to keep software up to date to escape from this kind.
HHS billed Community Mental health services $150,000 for using outdated, unsupported software which affects 2,743 individuals due to malware data breach.
Valley View Hospital in Glenwood Springs, Colorado reported several of its computers had a virus which copied screen shots of the computers and stored these images in an encrypted, hidden folder which could have been accessed by an outside entity.
Heart bleed, discovered during April is a serious vulnerability in OpenSSL cryptographic library. It allows anyone to read the memory of systems which has this vulnerable version of OpenSSL. This led the attackers to get access to private keys, username and password without much effort. A large group of hospital, Franklin, Tennessee -based Community Health Systems which operates 206 hospitals across 29 states, reported that hackers were able to gain access to their CHS’s system due to Heart Bleed vulnerability. This is said to be the largest hacking-related to data breach happened in the year 2014.
Shellshock, discovered during September 2014 is equivalent to Heart bleed. Unlike Heart bleed, shellshock has series of bugs raised one after other which requires fix immediately to prevent hackers attack. Its bug in bash command through which hackers could gain access to machine and they could run bash commands to bring the server/machine to their control.
Employee snooping and insiders misuse are also the biggest privacy threats in healthcare industry at present.
A former Tufts Health Plan employee, Emeline Lubin was convicted of disclosing patient information in a fraudulent tax refund scheme after stealing the personal data of more than 8,700 members.
An employee in “Cleveland-based University Hospitals” inappropriately accessed nearly 700 patient’s medical and financial records for more than three years without knowledge of UH.
A former employee of Riverside Health System inappropriately accessed 919 patient social security numbers and records in EHR. The breach was discovered after four years (September 2009 to October 2013) on random audit.
Unauthorized access to PHI has been increasing day by day. An unknown source accessed and stored about 60k patients PHI in Dallas-based Onsite Health Diagnostics which contracts with state of Tennessee’s wellness plan.
Bottom of Form
In one of the biggest HIPAA security breaches reported, hackers accessed a server from Texas healthcare system, compromising the protected health information of about 405,000 individuals.
Sony notified employees that their medical data and Social Security numbers were affected by cyber-attack.
A hacker even threatened to make patient’s PHI of Clay County Hospital in Flora public for ransom payment. But external forensic experts investigated and determined that Clay County Hospital servers remain secure.
Authentication and Authorization
Ensure that only the authenticated users are accessing the system. Keep an eye on the access control to confirm that they access only the authorized pages.
Storage Encryption - Whatever being stored in local systems or on any devices should be encrypted and could be accessible only by the authoritative persons having appropriate keys.
Transmission Encryption – PHI should always be encrypted while transmitting to other physicians via Internet. Also, ssl should be enabled on the server if the application is web based.
BYOD – HIPAA
If physicians/staff are using their own devices to access PHI, ensure BYOD HIPAA compliance is implemented and instruct the physicians/staff to follow the same.
Make sure to update all the software in inventory now and then with latest version so that risk to get malwares or viruses gets reduced. Keep track of all new security vulnerabilities so that update could be performed on right time.
Audit the access of all users and the data been accessed. Verify the same at regular intervals to check on employee snooping and unauthorized access.
A proper backup is state of data being never lost. Every day data including audit should get backed up for further reference and for recovery. Make sure proper recovery mechanism is in place so that the backed up data could be recovered during emergency or accidental deletion. We also need to ensure that the backup data is encrypted to avoid any misuse.
If the data is not needed, make sure you dispose all the whereabouts of it in back up, archives and in third party storage devices. Any left out could make data vulnerable.
Assign a HIPAA Compliance Manager to regularly check if the HIPAA Security and Privacy rules are implemented appropriately in the EHR and also in the Hospital Workflow process.
The Compliance Manager should also keep a close eye on the security risks so that the mitigation steps can be planned.
“Prevention is better than cure” - If the clinic and the hospital follows all the HIPAA Security and Privacy Rules, they can ensure that the patient data is safe and need not pay lot of money to the government as penalty.
ViSolve, Inc., is a software services and consulting firm with expertise in Healthcare and Cloud. ViSolve is headquartered at San Jose, CA with best in class Development ViSolve is committed to provide better healthcare by providing vendor neutral IT services. To know more about how ViSolve can enhance your IT capabilities, get in touch with us by email at firstname.lastname@example.org or call us at +1 (408) 850 2243.