Protecting PHI is a challenge for many medical practices, but it is even more difficult for smaller organizations. To protect PHI, it helps to first know how it can be used by cyber criminals. Medical records don’t expire. Almost all records are organized by Social Security Number (SSN). These unique identifiers can be used for malicious intent. Stolen EHR data can be used to get prescription drugs, create new identities, get passports, drivers licenses, open bank accounts, etc.
According to SecurityWeek.com, “Protected health information sells for 30 times more than financial information on the dark web since it contains a full identity profile.”
“According to data provided by the United States Department of Health and Human Services, Office of Civil Rights (HHS OCR), the number of data breaches in the healthcare sector increased by 63 percent in 2016. In addition, the survey exposed two new trends: the acceleration of medical device hijacking and an increase of ransomware attacks.”
Under HIPAA, the Department of Health and Human Services in in charge of enforcing data security standards. Couple this with the fine structure and that audits are performed by private companies that make their money based upon found violations, the danger of a crippling HIPAA audit is real for many practices.
Identifying potential violations requires an investment in time, training and money. Compliance is not cheap and vendors to medical practices do not help the situation. We work with several medical practices and they had relied on vendors of medical devices to tell the practice that they were HIPAA compliant. What we discovered was that yes, they are compliant, but only if the device is implemented and used in a particular way.
As an example, one of these devices could be added to an active directory domain, but their implementation of that integration was not HIPAA compliant. Instead, they recommended that the patient records be added directly to the device hard drive. In the documentation, they recommend a password policy, but there is no way the system can enforce it. Basically, the vendor is putting the onus on the practice owner to develop password policies and then manually implement regular password changes.
Another recommendation is to not connect the device to a network or connect only to an isolated network that does not have internet access. However, the vendor requires an internet connection to provide system software upgrades or tech support where support personnel will need to remote into the device to fix an issue. Additionally, these devices require one off and disparate backup solutions for their devices making recovery from a disaster that much slower. In practice, it is not practical to follow the vendor requirements to be HIPAA compliant.
The vendor documentation spells all this out. Practitioners need to read the fine print and make their own determination if a medical device will be HIPAA compliant in their specific environment.
Don’t believe the sales person! Determine for yourself or get some specialized help that you trust to make sure you are not at risk when implementing new devices and technologies.