Did you hear about the time McAfee Labs dubbed 2014 “The Year of Shaken Trust”? Back then, a medical record was ten to twenty times more valuable to hackers than a credit card number because it offered copious amounts of sensitive personal data. It's been two years since that report was issued, which should mean we've come a long way in securing electronic protected health information (ePHI). Instead, the news is filled with one healthcare data security breach after another. In one incident, a Southern California hospital was forced to pay a $17,000 ransom to have its network restored. In another, 3.7 million patient records were accessed. And this list goes on. (And on.) The number of major HIPAA data breaches for which cyber attackers are responsible has increased 300% in just three years. With healthcare data at such high risk, it’s shaping up to be a critical time for HIPAA compliance, web form security, and other healthcare IT measures.
What’s Happening with Healthcare Data Security?
To hackers, ePHI is even better than hitting the jackpot. A single medical record offers a bevy of black market opportunities, from insurance fraud and prescription abuse to identity and credit card theft. And because healthcare organizations often lack the sophisticated backup systems that are common in other industries, they’re prime targets for cybercrime. That’s why the Brookings Institution is predicting that one in thirteen patients will be impacted by provider data breaches by 2019, in part because federal mandates forced so many practices to adopt electronic health records (EHR) before they were ready to adequately invest in IT security. According to the report, it’s not uncommon for facilities to share large datasets because they lack the time and resources to filter out who should have access to what patient information.
How Do HIPAA Data Breaches Happen?
Most healthcare data hacks start with an unsuspecting employee doing something as simple as viewing a patient record or opening an email attachment from a legitimate-looking address. In one experiment, IT security consultants infiltrated a computerized medicine dispensary by dropping off malware-containing USB sticks stamped with the hospital’s logo. In another, the same team filled patient portal form fields with malicious code to be triggered when viewed by a doctor or nurse. Mobile healthcare data is also to blame: A 2016 survey found that eight in ten Google Play diabetes apps lacked privacy policies. Around the same time, more than 80% of surveyed healthcare employees admitted to being fearful of mobile cyberattacks involving malware, blastware, and ransomware.
What Can You Do to Secure Your Healthcare Data?
For starters, choose your vendors wisely. Web forms must be HIPAA compliant, privacy policies should be in place, and digital tools, in general, should meet high-security standards. As one well-regarded security expert put it:
“Every healthcare institution must realize that their patients' data is their most valuable data, and serious protection means, at the least, the introduction of the same security measures now protecting other sectors.”
Bottom line: It’s up to each healthcare organization to take steps to ensure its ePHI stays safe. Instead of assuming your vendors have a variety of security measures in place to safeguard medical information, be prepared to ask questions such as these:
- How are emails and web traffic encrypted?
- How is “at rest” data protected?
- What steps are you taking to ensure we remain HIPAA compliant?
- What security measures, such as SSL and advanced password protections like 2FA, are available for online forms?
- How is information protected as it flows from one user to another?
With Formstack’s HIPAA-compliant secure forms, healthcare providers can collect data with the confidence it's being protected by layers of extra security. Click here to learn more.