Cybercriminals consider Electronic Health Records (EHR) the holy grail of personal data. Besides potentially-incriminating health data, an EHR likely contains the patient’s contact information, health-insurance ID, Social Security number, and other sensitive financial details, allowing those who confiscate EHRs overwhelming access to an individual’s personal information.
SEE: Lunch and learn: Dealing with the risks of identity theft (Tech Pro Research)
“Personal medical information remains one of the most sought-after types of data for cybercriminals to steal,” writes Brad Spannbauer in this MedPage Today commentary. “And while this should concern all of us as patients and consumers of healthcare services, it also creates a priority-one level of urgency for any healthcare provider that has not yet implemented the strongest measures possible to secure its patients’ data.”
The Accenture report Are You One Breach Away from Losing a Healthcare Consumer? based on the company’s 2017 Consumer Survey on Cybersecurity and Digital Trust, gives credence to Spannbauer’s claim, saying that approximately one-in-four consumers (26%) have had their EHR compromised in a data breach.
As to what the cybercriminals do with the data, the respondents to the Accenture survey reported information from their EHR was used to fraudulently:
- Purchase items;
- Receive and pay for medical care;
- Fill prescriptions; and
- Access and possibly modify health records.
Spannbauer states that organizations suffering a data breach involving EHRs are in significant trouble, adding, “For healthcare organizations the stakes of a data breach can be enormous: steep fines and penalties from HIPAA regulators at the federal and state level, the potential for costly lawsuits, public outcry, and publicity damaging to a company’s reputation.”
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
Since the onus is on organizations that have been entrusted with patient EHRs, Spannbauer offers the following suggestions for securing the highly-sensitive digital files.
1: Develop a set of rules and policies for handling patient data
Creating a set of policies and procedures as to how employees handle EHRs is paramount. Equally important is documenting what is being put in place, distributing it to all employees, and conducting mandatory training. As to why this is important, Spannbauer mentions, “This set of policies will help minimize your company’s risk of data breaches, and it can also serve as helpful documentation demonstrating your organization’s eagerness to comply with HIPAA and other privacy laws—which could come in handy if regulators ever come knocking.”
SEE: Information security policy (Tech Pro Research)
2: Train employees on how to recognize phishing scams
Physically stealing a hard copy tops the list of how health records are stolen; email scams were close behind. “According to data compiled by the HIPAA Journal, email scams represented the second-highest method for crooks to steal healthcare data in the first quarter of 2018,” writes Spannbauer. “So you’ll also need to train your employees to be smart about dealing with emails, websites, suspicious links, and file downloads.”
3: Limit messaging and collaboration apps to those approved by HIPAA
There are secure HIPAA-compliant apps for storing, sending, and receiving sensitive regulated data. The trick is finding tools and apps that make sense for the company and are also HIPAA-compliant.
Stephen P. Trahan in this article compiled what experts at eFax Corporate consider to be the most-secure apps for business collaboration and communication. Spannbauer offers the following cautionary advice about using cloud messaging services:
“One important, but often-overlooked factor here is that even apps designed for transmitting data through the cloud—email, text messaging, video conferencing, fax, etc.—will often maintain copies of that data on the app makers’ own servers. For this reason, you should be looking not only for apps that promise to secure your data as it traverses the internet but also to protect it afterwards, while it’s at rest, in cloud storage.
4: Stay current on the latest cybersecurity threats and keep employees updated
Companies handling EHRs likely have current cybersecurity best practices in place—that’s good business, especially when sensitive patient information is involved. However, most cybersecurity platforms are reactive, which means they only work well on known phishing schemes, already-discovered malware, and successful data-breach attacks; this is why it’s important to stay informed about the current cybersecurity attacks and threats. Informing everyone within the organization about cybercriminals’ favorite methods of attack will go a long way to preventing a data breach.