To a healthcare organization, its most valuable assets are the technology used to treat disease and highly trained medical professionals who care for patients. To a hacker, the most valuable asset is protected health information (PHI). This dataset contains information on an individual that is hard-coded within them and could be used indefinitely for malicious intent.
According to a healthcare breach report from cloud security firm Bitglass, hacking and IT incidents reportedly led to almost 46% of the healthcare breaches in 2018. The problem of hacking in healthcare systems is further supported by the statistics from the Office of Civil Rights data breach log.
Their log shows that from 2018 until present day, 354 healthcare entities have had a breach due to hacking. While this number may seem small for two years, the number of people affected in each of these incidents ranges from a few hundred to hundreds of thousands. The lack of proper security controls for storage systems makes healthcare a prime target for hacking.
How Hackers Access Digital Systems
Hackers don’t need to reinvent the wheel to break into a digital storage system. Many times the entry point is through an email server or a phishing attempt. An unknowing employee can click on an email or link that gives a hacker complete access because they can’t distinguish a fake email from a legitimate one.
Other access points for hackers include Electronic Health Record (EHR) systems, network systems, and portable devices connected to various servers. Identifying these attackers is not always a possibility due to the anonymity of the internet and especially the dark web. When an attacker can be identified, they may be disgruntled employees who want to divert patients to competitors or more commonly, are a member of a hacking ring that steals PHI to sell on the black market.
While making a profit from your personal health information is a major reason behind a cyberattack, there are several other reasons they may want this personal information. That is why it is imperative for healthcare organizations to implement security practices for their digital networks.
Best Practices for Protecting PHI
Healthcare systems pose a lot of vulnerabilities including low security and multiple entry points. They have unsupported systems and many can’t be updated due to their age. Overall, the budget for IT and data security is not large enough to implement the security controls needed to protect PHI. Professionals in the healthcare and IT industries gave some best practices that healthcare organizations can follow to shield PHI from unauthorized parties.
—Dennis Chow, CISO at SCIS Security
—Lee Barrett the CEO and executive director, Electronic Healthcare Network Accreditation Commission (EHNAC).
—-Marty Puranik, President and CEO of Atlantic.net.
Encryption and HIPAA Regulations
The HIPAA Security Rule requires Covered Entities (CE) to implement physical, technical, and administrative controls to protect PHI. These rules also require an entity to complete a comprehensive risk assessment to find all security vulnerabilities that exist so the proper administrators can address them.
While these are important and necessary steps to take, the use of encryption is also a highly recommended way to protect PHI. The use of encryption is not required by HIPAA but not utilizing some form of it is an “addressable implementation” if a healthcare organization is hacked.
The SecureDrive product line is hardware encrypted and HIPAA compliant. The devices can only be accessed through PIN authentication or secure authentication through a mobile device. An administrator can set read-only mode, see who accessed a drive and when, and can remotely wipe the device in the event it becomes lost or stolen. To learn more about how our SecureDrive products can protect PHI from hackers, call 1-800-875-3230.