Note: This is blog 3 of 4 in our HIPAA series.
During 2016, there were 377 health care data breaches in the U.S., according to ITRC. Between 2012 and 2016, there was an increase in frequency (50 percent), severity (50 percent) and number of records exposed (69 percent). In a single breach of Quest Diagnostics in November 2016, 34,000 people were affected. The threat is escalating all the time and what these statistics point to is the vital role the Omnibus Rule must play around the issues of privacy, security and enforcement under the Health Information Technology Act.
The Omnibus Rule seeks to recognize and deal with the increased threats posed to health care data. Hackers are no longer only nefarious individuals looking to make a quick buck. They’re sophisticated criminal operations with vast resources, capable of doing tremendous damage.
Medical records are valuable to hackers and can be sold for up to 50 times more than stolen credit card numbers because they can be used for insurance fraud, to obtain false prescriptions, as well as extortion and simple identity theft.
Steps to implement
Historically, the health care industry has lagged behind in terms of safeguarding sensitive information. Here are steps that should be implemented immediately:
In almost every case, a breach begins with a person who has legitimate access to a system sharing that information, knowingly or unknowingly with a hacker. Through neglect or carelessness, employees often share vital information unwittingly. Educate staff about the ways credentials can be stolen and limit how much data any one staff member can access.
Basic training for new hires goes a long way—annual updates on phishing techniques and other Internet scams make employees more security conscious.
In an all-too-common scenario, employees make mistakes and lose data, or they file things in the wrong place. This sets them up as easy targets for hackers who know where to look. It’s vital that you know where your data is stored and that it is where it’s supposed to be. Isolate your most sensitive data and have additional controls and limited access to it.
In a medical environment, any device that goes online is vulnerable and a potential gateway. Laptops, desktops, mobiles and iPads all need antivirus, antimalware and encryption software installed. And just as important, such software must be updated regularly to ensure that your data is being safeguarded with the latest security measures.
If possible, medical institutions should separate guest wireless networks from primary networks, and web filters can be added to restrict widespread Internet roaming on the primary network. Businesses should think about isolating and segmenting data access, ensuring that only those with proper credentials and a need to know can access sensitive and/or electronic personal healthcare data.
The value of the cloud
Companies are using the cloud for both efficiency and security purposes. The National Kidney Registry (NKR) took the decision to outsource their data management and security to a cloud provider with the experience and the resources to safeguard their data. NKR director of Education and Development Joe Sinacore explained to HealthITSecurity: “I want the people who have a vested interest in not just protecting my business, but everybody’s business and their own reputation. Seeing all of the resources that they put in on this, I don’t know how you can do it any better than that.”
No system is impenetrable and breaches can and do happen. But knowing where your data resides and who has access to it can help you respond effectively should a breach occur. Be sure to choose a cloud service provider that understands your business. As required by HIPAA, Mozy by Dell offers appropriate safeguards—including those for encryption, password restrictions, and data storage—to help you protect and secure the electronic health information you work with and store.