Cyber security has become an urgent concern for hospitals and other entities of the healthcare continuum. Cyber breach headlines are now a daily news occurrence and present a continual struggle for healthcare institutions. A recent U.S. Government interagency report found that there have been 4,000 daily ransomware attacks since early 2016. In 2016 alone, the records of 16.6 million Americans were exposed due in large part to hacking.
Patient records are particularly vulnerable to these attacks due to the “holy trinity” of information they contain: name, social security number, and date of birth, making them prime targets for identity theft and blackmail. These records are sold on the dark web for ten times more than stolen credit card numbers, with a single Medicare or Medicaid Electronic Health Record fetching $500 or more.
The desirability of these records present an ongoing struggle for Chief Information Security Officers. A security breach may yield a multitude of negative outcomes, from legal fines to loss of patient trust. This suggests the questions: what potential liabilities do hacked institutions face and how can they be prevented?
Legal Exposure
The Health Insurance Portability and Accountability Act (HIPAA) requires institutions to protect patients’ electronic protected health information (ePHI) and the US Department of Health and Human Services (HHS), the agency charged with overseeing HIPAA compliance, has increased their enforcement of ePHI protection requirements dramatically over the past two years.
If an institution is hacked and it is determined there were not reasonable protection measures in place, these institutions are subject to a variety of remedial actions, including: corrective action, fines, patient mistrust and, in rare occurrences, jail time. These oversight efforts have resulted in more than $23 million in HIPAA settlements in 2016. In addition to investigating hacked institutions, HHS has also launched a program of random audits for ePHI security.
HIPAA fines are tiered based on the degree of the violation and whether an institution had knowledge, or reasonably should have had knowledge, of the potential violation. Penalties may range from $110-$55,010 per violation. If an institution willfully neglects their duty to protect ePHI, and does not correct in a reasonable amount of time, the maximum penalty of $55,010 per violation will be enforced.
In addition to HIPAA fines, there is a growing prevalence of lawsuits by individuals and organizations whose records were exposed or insufficiently protected. A recent example of this is a class action lawsuit brought against Allscripts by Surfside Non-Surgical Orthopedics in Boynton Beach, Florida. The lawsuit states: “Healthcare industry knowledge and awareness of the widespread issues with SamSam ransomware have been know since at least March 2016… Allscripts disregarded Plaintiff’s and Class Members’ right by intentionally, willfully, recklessly and /or negligently failing to take adequate and reasonable measures to implement, monitor and audit its data systems, which could have prevented or minimized the effects of the SamSam ransomware attacked it experienced.”
The lawsuit alleges that clients were unable to access their systems, preventing them from conducting regular business and rendering them unable to fill prescriptions. Though the amount of damages and restitution sought remains undisclosed, there are more than 45,000 physician practices represented in the class.
Protecting Patient Data
HIPAA guidelines for ePHI protection are vague. For example, data encryption is not expressly mandated if an institution can provide a reasonable explanation as to why they cannot encrypt or if they can show implementation of an equivalent to encryption. However, if an entity were to experience a data breach, the fact that data was not encrypted, and that the data breach was not prevented by the alternative protection method, will most likely result in compliance action.
While some institutions may try to circumvent encryption to avoid the expense or hassle of implementing such measures, they are playing a dangerous game and will be vulnerable to both hackers and HIPAA fines.
At Aviva Healthcare Solutions, we work closely with InfoBay data encryption software that allows institutions to securely share information with the outside world, whether it is through email, SMS, chat or the secure transmission of large files. InfoBay easily integrates with existing IT systems and has been trusted by major private and governmental institutions ranging from banks and hospitals to insurance companies and port authorities.
“InfoBay enables the secure exchange of personal and confidential medical information, using encrypted communication to safeguard all data transfer.”
In addition to data encryption and traditional firewall technologies, institutions have the option of taking an even further step to secure patient data called Content Disarm and Reconstruct (CDR) technology, also referred to as sanitization.
CDR technologies assume all files are suspicious, disarming emails and other forms of incoming files prior to their entering an organization’s network. File components are then stripped and analyzed for threats. All malicious files are neutralized and the sanitized document reconstructed and sent to recipient. This whole process takes place in a matter of seconds, remaining largely invisible to the user.
A leader in the CDR space is Israel-based Sasa Software. Their award-winning Gatescanner products offer top-shelf CDR technologies and have been trusted by the most discerning and at risk institutions including the Israeli Ministry of Finance, Ministry of Foreign Affairs in Singapore, Teva Pharmaceuticals, Societe General bank, Assuta hospitals and a host of other institutions.
“Content Disarm & Reconstruction (CDR) technology changes the paradigm from Detection to Prevention. We know that Zero Day attacks and Undetectable Threats can eventually penetrate through Detection based controls, so we need to treat EVERY file as “Guilty” of carrying a malicious payload. We need to Disarm that file and transform it into a safe copy that we can trust. CDR does exactly that.”
In this age of ever-increasing cyber threats, healthcare institutions must remain vigilant in securing patient information.
For more information about healthcare cyber security, including InfoBay and Sasa Software, please contact info@avivahealthsolutions.com.
Article by Ashley Remeza
Sources
Dimov, D. Identity Theft: The Means, Method and Recourse. Infosec Institute, 2013.
What Can I Do After an Improper Disclosure of Medical Records? FindLaw, 2017.
Nieten, A. What Happens if You Fail to Comply with HIPAA?. Formstack.com. 2017.
Goedert, J. Allscripts Hit by Class-Action Lawsuit for Ransomware Impacts. HealthData Management. 2018.