Why Monitor More Than Your EHR: HIPAA Security Rule.
How effectively does your healthcare organization protect and secure ePHI? Not at all effectively—unless your organization is the rare exception.
The truth is that most healthcare organizations violate at least some aspect of the HIPAA Security Rule, putting both patient data and HIPAA compliance at risk. Healthcare, in fact, is one of the top five industries targeted by cybercriminals.
And healthcare’s struggle to protect patient data is happening on a rather remarkable scale. If current trends continue, Modern Healthcare predicts that by 2024, every single patient in the United States will have had his or her patient data compromised.
The Office for Civil Rights (OCR) is encouraging healthcare organizations to reverse this trend by ramping-up enforcement activities to unprecedented levels. In 2016 alone, payments of more than $22 million were made to OCR for HIPAA violation settlements.
Keeping EHRs Safe Isn’t Enough
Many healthcare organizations focus strongly on keeping EHRs protected. But that’s not enough. The Privacy Rule specifies the necessity of protecting “all individually identifiable health information.” It also specifies that protected information may exist “in any form or media, whether electronic, paper, or oral.” Conducting a risk analysis can help to ensure the protection of patient data, and is a HIPAA requirement.
Think of an EHR as the tip of an iceberg: It’s the most visible part of a very large bulk of data. It’s natural to focus upon keeping the EHR secure because it’s so visible. But focusing exclusively upon that tip of the iceberg places a massive quantity of associated data at risk.
The data contained within each EHR is commonly replicated in many different forms and in many different systems and applications—the bulk of the iceberg. Each electronic health record, in part or in whole, might also be found in:
- Office productivity software
- Documents and spreadsheets
Computer systems (database servers, web servers, fax servers, etc.)
- Endpoint hardware such as desktop workstations and laptops
Cloud-based and virtual systems
Messaging apps (including email, texting, and file transfer tools)
Removable media such as CD-DVD, flash drives, and tapes
Providing true patient data security—and assuring that your healthcare organization is not charged with HIPAA violations—requires that safeguards protect patient data wherever it exists, including all the above.
By conducting a HIPAA Risk Analysis, you can properly identify which applications you need to implement the appropriate safeguards required by the Security Rule.
Application security is also an issue for many healthcare organizations. Applications developed internally within healthcare enterprises often fail to provide sufficient ePHI protection. A recent SANS survey (2016 State of Application Security: Skills, Configurations and Components) revealed that healthcare is ranked the most immature of all industries in terms of application security programs.
Why has healthcare become the favorite target of cybercriminals? The sheer value of pilfered medical records is certainly one reason. Forbes recently reported that the value cybercriminals might receive from a single stolen health record can range from hundreds to thousands of dollars.
But cybercriminals also have learned that medical records are very poorly protected targets. Most healthcare organizations simply don’t put in place all the defenses necessary for protecting sensitive patient data. Internal threats, particularly, are often entirely overlooked. Healthcare, in fact, lags behind all other industries in deploying safeguards sufficient to keep data safe.
And that’s largely because most healthcare organizations are playing catch-up. While other industries have half a century of experience in protecting electronic data, the healthcare industry is relatively new to the game. The financial services industry, for example—also a top-five targeted industry—has been fending off cybersecurity threats for decades. Even so, this industry vertical continues to spend big on cybersecurity.
Until recently, most healthcare organizations predominately utilized physical, paper-based health records. But recent government mandates have spurred the adoption of electronic records in healthcare. According to The Office of the National Coordinator for Health Information Technology, less than 10 percent of hospitals used an electronic record system in 2008. But within only six years the percentage of hospitals using electronic records exploded to nearly 97 percent.
This rapid adoption of new technology has not occurred without the accompaniment of some growing pains. Most notably, healthcare organizations have struggled to maintain sufficient data security from internal and external threats.
Analyzing ALL the Risks
All of the electronic systems and applications listed above are vulnerable to cyber-attacks. ePHI can also frequently be found in healthcare organizations’ financial and administrative systems, managed care and departmental imaging systems, and expanded clinical departments. It’s also common practice to transfer data between healthcare providers, clinics, labs, hospitals, pharmacies, and patients. Each transmission of data represents an additional point of vulnerability.
The HIPAA Security Rule requires that each healthcare organization conduct a risk analysis to ensure HIPAA compliance. Given the many points of vulnerability to which every bit of patient data may be exposed, each risk analysis must be very in-depth.
The risk to your healthcare organization extends far beyond just your electronic health records. Implementing a well-rounded monitoring system that encompasses multiple platforms will assure that all patient data is kept safe, preventing breaches, assuring HIPAA compliance—and avoiding massive OCR settlements.