Cybersecurity attacks have been plaguing a variety of industrial sectors, and healthcare is no exception. Of the 14 biggest healthcare data breaches, five occurred in 2015. But there's plenty that facilities can do to reduce their risk, according to a webinar conducted last week by the Society for Imaging Informatics in Medicine (SIIM).
Employee education, data encryption, and strong organizational security policies, for example, can be critical for avoiding these events, said attorney Helen Oscislawski.
"There's absolutely a disconcerting trend in the types of access and sheer volume of records that are being compromised in these kinds of attacks," she said.
Overall, six of the largest data breaches -- including four of the top five -- were due to cyberattacks, she said. Five breaches were due to theft of unencrypted devices and three were attributed to lost and unencrypted backup tapes, hard drives, or computers.
Consequences
Breaches can trigger class-action lawsuits for healthcare institutions, and these can get expensive fast. For example, a California law provides for payments of $1,000 per affected person even if the individual doesn't experience any damage. The Health Information Technology for Economic and Clinical Health (HITECH) Act also provides for payment to patients who are harmed by a breach, enabling them to a percentage of penalty fees collected by the U.S. Department of Health and Human Services (HHS).
"It's important that you get your HIPAA security program up to snuff and in compliance," Oscislawski said.
The HIPAA security rule is an important starting point to make sure your organization is meeting its security obligations.
A 2015 report from Experian noted a persistent and growing threat of healthcare data breaches, and healthcare business leaders are facing increased scrutiny over security practices, she said. While hackers are expected to target healthcare data stored in the cloud, employees represent the biggest security threat, according to the report.
"Rogue employees internally are providing the means to have information accessed by people who want to do bad things with that data," she said. Employees may also unwittingly provide their user name and password in a phishing email to somebody posing as a member of their IT department.
As a result, employees need to be trained about the types of practices they need to avoid and be educated on the severe repercussions they could face for misuse of data, Oscislawski said.
"These are criminal acts, and there have been individuals who have actually been prosecuted under the HIPAA statute for looking into data, taking data, and using data for their own personal purposes," she said. "So understanding the repercussions and destruction to an employee's future if they are engaged in that may deter at least some who may not be aware of the severe repercussions for misuse of data."
HHS action
In addition to class-action lawsuits for damages to patients, institutions can be subject to action by the HHS Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules. There have been more than 26 cases -- including 25 settlements -- over seven years of enforcement, for an aggregate sum of nearly $27 million.
Among the important lessons learned: Encrypt laptops and mobile devices, including thumb drives, she said. In all the cases that involved compromised protected health information (PHI) from loss of laptops and mobile devices, those devices could have been encrypted to prevent loss of the data.
"HHS has zero tolerance for [a lack of] encryption," Oscislawski said. "If you are not encrypting, you have to have an extremely good reason why you are not encrypting. It's actually a default best practice right now that if you're not, you're basically falling short of the HIPAA security standard."
Also, dispose of PHI properly, including any information that might have been cached on systems such as leased copiers. And don't take PHI offsite, she said.
It's also critical to enter into business associate agreements with vendors who store or secure your PHI. Finally, be sure to perform and update your HIPAA security risk assessment.
"Focus on that aspect; get your IT people involved and make sure that [the security risk assessments] are done," she said.
Security policy shortcomings
Shortcomings in security policies have been encountered in nearly every one of the cases pursued by HHS. Either there wasn't a policy on the topic or there wasn't follow-through to ensure that the policy was being implemented carefully, Oscislawski said.
"So make sure you are doing that," she said.
While it may be tempting for healthcare institutions to think that they are sitting ducks for hackers, it's important to note that many of the security incidents that have taken place could have been prevented, especially with regard to HIPAA security violations, Oscislawski said.
Start with good written security policies, whether you develop them yourself or outsource the task, she said. These also need to be updated whenever there's a change in circumstance in the organization. Compliance documentation is also required.
When it comes to implementing policies, it's important that these be disseminated throughout the organization.
"It can't be a perfunctory policy that's sitting on your shelf," Oscislawski said.
As a result, there needs to be an oversight structure -- involving the institution's privacy officer, security officer, and other individuals responsible for implementing these policies -- that meets on a regular basis to go over any issues or shortcomings that have come up. It also needs to make sure that security "is an ongoing, live, active implementation process and [that] security is part of what the organization emphasizes and discusses on a daily basis," she said.