Protecting personal health information (or PHI) is a challenge for many medical practices. But healthcare cybersecurity is even more difficult for smaller organizations.
How Cyber Criminals Use Your Personal Health Information (PHI)
To protect PHI, it helps to first know how cybercriminals can use this personal information to their advantage.
For starters, it’s worth noting that medical records don’t expire. Additionally, almost all records are organized by Social Security Number (SSN). These unique identifiers can be used for malicious intent.
Then, stolen electronic health record data can be used to:
- Get prescription drugs
- Create new identities
- Get passports
- Get drivers licenses
- Open bank accounts…and more
According to SecurityWeek.com,
“Protected health information sells for 30 times more than financial information on the dark web
since it contains a full identity profile.
According to data provided by the United States Department of Health and Human Services, Office of
Civil Rights (HHS OCR), the number of data breaches in the healthcare sector increased by 63 percent in 2016. In addition, the survey exposed two new trends: the acceleration of medical device hijacking and an increase of ransomware attacks.”
Challenges with Healthcare Cybersecurity
Under HIPAA, the Department of Health and Human Services is in charge of enforcing data security standards. Couple this with the fine structure and that private companies perform audits and make their money for any violations they find? Then the danger of a crippling HIPAA audit is very real for many practices.
(Learn more about HIPAA compliance and healthcare cybersecurity by visiting this link next)
Identifying potential violations requires an investment in time, training and money. Compliance is not cheap and vendors to medical practices do not help the situation. We work with several medical practices and they had relied on vendors of medical devices to tell the practice that they were HIPAA compliant. What did we find? Yes—they are compliant…but only if they implement and use the device the right way.
As an example, they could add one of these devices to an active directory domain. But their implementation of that integration was not HIPAA compliant.
(Cyber attacks are more common in a number of industries in America than you might expect. Read this post to see what we mean: How Common are Cyberattacks on Business in the United States?)
Healthcare Cybersecurity Best Practices
Instead, they recommend that you add the patient records directly to the device’s hard drive. In the documentation, they recommend a password policy. The problem is, there is no way the system can enforce it. Basically, the vendor is putting the onus on the practice owner to develop password policies and then manually implement regular password changes.
(Speaking of passwords, take a look at this resource next for the best practices for creating strong passwords)
Another recommendation is to not connect the device to a network or connect only to an isolated network that does not have internet access. However, the vendor requires an internet connection to provide system software upgrades or tech support where support personnel will need to remote into the device to fix an issue.
Additionally, these devices require one-off and disparate backup solutions for their devices making recovery from a disaster that much slower. In practice, it is not practical to follow the vendor requirements to be HIPAA compliant.
The vendor documentation spells all this out. Practitioners need to read the fine print and make their own determination if a medical device will be HIPAA compliant in their specific environment.
Protect Your Personal Health Information
Don’t believe the salesperson! Determine for yourself or get some specialized help that you trust to make sure you are not at risk when implementing new devices and technologies. We can help! Trust CloudNexus to protect your critical data from the inside out.
When it comes to healthcare cybersecurity, there’s no room for error. Don’t leave your critical security concerns up to chance! Ready to get started? Contact us here or call (502) 440-1380.
Did you learn a lot about healthcare cybersecurity and protecting your personal health information in this post?
Here are three more posts to read next:
- Best Practices for Cybersecurity & Working from Home After COVID
- Why IT Managed Services? Six Key Benefits
- 5 Top Cybersecurity Trends of 2021
This post was first published in 2017 but it was updated in 2021 just for you.