As healthcare systems continuously adapt to newer technology in the attempt to provide better care to patients, cybersecurity becomes a rising concern. While data breaches in the healthcare sector are not covered as extensively as those in the retail or banking sectors, they are no less significant. The information contained in stolen medical records, including names, birthdays, addresses, social security numbers, employment information and income data, can be used in the purchase of medical equipment and drugs, which can then be resold. Alternately, this information can be used in filing fake insurance claims. What makes this especially alarming is that, unlike the security provided for banking material like credit cards, medical records cannot be cancelled.
Mobile devices like tablets and smartphones can provide hackers with backdoor access to the network of a medical group. While medical devices with internet or Bluetooth connectivity might have been revolutionary to the healthcare industry, they are often severely lacking in the security protection required to ward off hackers. The rise in the consolidation of healthcare service through acquisitions and mergers results in the extensive sharing and reviewing of medical data, which sometimes takes place on “legacy” systems unintended for digitization—this provides hackers with many opportunities to seize the data.
The HIPAA (Health Insurance Portability and Accountability Act) Security Rule, put to effect on February 20, 2003, focuses on safeguarding electronic protected health information (EPHI). HIPAA emphasizes maintaining the availability, confidentiality, and integrity of EPHI, and requires the EPHI created, received, maintained, and transmitted to be protected against anticipated threats and impermissible uses or disclosures.
The HIPAA Breach Notification Rule makes it mandatory for covered entities to notify patients in case of a data breach, besides informing the appropriate authority, depending on the magnitude of the breach. Breach notifications should include the nature of EPHI involved and the personal identifiers as well as any information regarding the unauthorized person who used it, and whether it was actually acquired or viewed, besides damage mitigation measures implemented to tackle the situation. These notifications should be made within 60 days following the discovery of the breach. Further, the individual should be informed of the follow-up process to protect him/her from potential harm, which includes a description of the efforts to investigate the breach and precautionary measures to avoid repeats. Since compliance alone is not enough, HIPAA imposes fines on providers suffering breaches of protected health information, thus making the cost, as well as the consequences of the breach, impact the entity instead of on the attacker.
The healthcare industry needs to cope with the advanced threats to reduce the number of cybersecurity breaches. This can be done by the widespread installation of security patches on machines, which record data, and the simultaneous upgradation of unpatched operating systems. The implementation of strict BYOD policies as well as increased employee training to prevent data breaches occurring due to negligence may also prove effective.