It’s been over 20 years since HIPAA was signed into law in 1996, and it’s becoming increasingly important and complex to comply with. As health care expands its ePHI sharing through better technology and increased demand, the risk of data breaches also escalates. Health care records are more valuable than stolen credit card numbers on the Dark Web, according to a 2016 data breach report from the Ponemon Institute.
While there may be debate on whether health care records are more valuable than financial data, we do know that more than 16 million health care records were exposed last year and this year, we’ve already seen several large breaches and ransomware attacks.
Keeping patient information private is paramount in health care for obvious reasons. Thanks to the 2013 Omnibus Rule, covered entities, and their business associates, have done a better job safeguarding patient data. Since 2013, we’ve seen HIPAA violations decrease, but it’s not enough; breaches are still happening, putting patients and health care providers at serious risk. In fact, these breaches have caused the Office of Civil Rights to investigate over 150,000 complaints between 2003 and 2017, and with fines totaling over $72 million.
It’s time to do more with the “portability” aspect of HIPAA. Medical records, lab tests, and other health information should not only be kept secure, but accessible and easily shared between providers, specialists, and doctors, to better pinpoint and diagnose patients for quicker treatment. Patients should feel confident that healthcare providers handle electronic patient health information properly – and in return, providers need to understand any breach will have a major impact on patient satisfaction. For health care providers, keeping patient satisfaction levels high is critical to ratings for both retention purposes and reimbursements.
Compared to 1996, we’ve seen huge evolutions in technology available today – in large part to the rise of the Internet. With instant access to information, and multiple access points via desktops, tablets, phones, and IoT devices, the once very manual process of extracting medical records and PHI from archaic systems that couldn’t communicate, has nearly transformed into a process of instant access to medical information.
While we are seeing a lot of improvements, especially in EHR systems, which continue to expand and connect more facilities and health care systems, we’re not quite there yet. As health information exchanges have discovered, systems and methods that can facilitate information sharing across different health systems and geographies face many challenges, and there’s a lot to solve – protocols, integration points, APIs, authorization, auditing, and security. These technologies expand the complexity and potential for exposing patient information if not implemented properly. While the Internet and smart devices have provided routes and access points, they have also expanded the attack surface for bad actors.
As ePHI continues to attract hackers, it is crucial for health care providers, including staff, admins, IT, and anyone who interacts with ePHI, to better understand threats and how to securely access and share data. Education and training will help solve some of the most common ways attacks happen. For example, knowing how to avoid social engineering tricks, like identifying suspicious emails that can infect systems with malware, may prevent a ransomware infection that could shut down their EHR system. Some hospitals that suffered from the WannaCry ransomware attack were forced to revert to using pencil and paper with their patients. For health care IT, it means better-understanding the threat landscape and potential vectors into this valuable data and performing a risk analysis.
As health care systems continually become more connected, data is everywhere – in the cloud, on laptops, tablets, and other devices – all controlled by IT. Knowing how to identify, react, and prevent hackers from accessing these target-rich environments will decrease breaches in the future.
Demand for better access to our health data continues to grow, and expectations will increase for easy, fast, and secure means for sharing patient information. Health care professionals must continually assess risks, define policies for information security, educate and train employees on proper IT hygiene, and look for technology solutions that help them achieve better security. With so much at risk these days – including monetary fines, reputational risk, and ultimately patient satisfaction ratings, properly training staff and mechanisms to share ePHI securely can help address the significant consequences of data breaches.
Read the full article: https://www.dotmed.com/news/story/38720?p_begin=1
About the author: Bill Ho is CEO of Biscom, and is a recognized security expert for some of the most regulated industries, including healthcare. Bill received his BS in computer science from Stanford University, his MS from Harvard University, and his MBA from MIT’s Sloan School of Management.