It’s a fact. Hackers want healthcare information. They want it even more than they want credit card information. Due to the value of electronic protected health information (ePHI), healthcare has been hammered by some of the most damaging attacks in any industry as of late. In 2016 alone, the healthcare industry averaged a data breach every single day, flooding underground marketplaces with fraudulently obtained personal information.
Overall, last year's data attacks impacted more than 23 million patient records—that’s an incredible amount of individual privacy violated.
In response to these rising threats, healthcare providers have no choice but to get in line with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Compliance with these acts signals that your business can be trusted to protect client data.
Healthcare Security Guidelines: What Is Required?
While there has been some debate on its requirement, encryption should absolutely be addressed as part of HIPAA compliance when it comes to safeguarding electronic protected health information (ePHI), including patients' names, addresses, social security numbers, birth dates, and other personal details. Any organization that stores, transmits, or deals with this type of information in any way should consider encryption imperative, but especially important when ePHI is being sent outside of an organization's protected network.
"Once a communication containing PHI goes beyond a covered entity´s firewall, encryption becomes an addressable safeguard that must be dealt with," HIPAA Journal stated. "This applies to any form (sic) electronic communication – email, SMS, instant message, etc. – except in the case where a patient has given their express, written permission for their PHI to be communicated without encryption."
Why Encryption Makes a Difference: Employee Errors
According to the latest research from the Identify Theft and Resource Center, 2016 saw a 40 percent rise in healthcare-related data breaches compared with 2015. Not all of these incidents came as a result of cybercriminal activity, though.
Perhaps surprisingly, most security missteps happened at the hands of employees. A Breach Barometer report from Protenus found that simple insider error was the cause of three times more breaches than attacks launched with malicious intent.
A Closer Look: Real-World Cases of Unencrypted ePHI
This kind of mistake, even when it happens without malicious intent, can mean considerable penalties for healthcare providers. For example, in 2014, Adult & Pediatric Dermatology, P.C. had to pay a significant HIPAA fine after a thumb drive was stolen from an employee's vehicle. The $150,000 penalty wasn't handed down simply because the drive was stolen, but because it wasn't identified in a HIPAA risk analysis and appropriate steps weren't taken to safeguard patient data stored on the device.
"As we say in health care, an ounce of prevention is worth a pound of cure," Office for Civil Rights Director Leon Rodriguez, a former federal prosecutor, said. "That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information."
Unfortunately, the dermatology firm isn't alone in this kind of incident. A Massachusetts hospital was required to pay a $218,000 penalty after it was discovered that employees were using an unsecured cloud file sharing platform to transmit patient data, Healthcare IT News reported.
In the case of the Massachusetts hospital, a fine was handed down before a breach ever took place, simply because staff members' actions were deemed too risky. This not only highlights the importance of security measures like strong encryption for ePHI, but the seriousness with which governing bodies treat these requirements.
To maintain compliance —and to stay off of the Department of Health and Human Services Office for Civil Rights' so-called "Wall of Shame"—healthcare organizations should follow a few best practices:
- Encrypt all sensitive data: Strong, top-of-the-line encryption should be in place to safeguard all healthcare data, including ePHI specifically. Employees should ensure that encryption is in place for data being stored, as well as data in transit.
- Do not email ePHI: Experts also recommend avoiding email for the transmission of ePHI. While patients can request that their information be unencrypted via email, this practice can open up a range of security risks. Instead, a more secure file sharing platform that supports robust encryption should be utilized.
- Restrict access: Restricting data access to only those who absolutely need it can help reduce risks and negligence that can lead to breaches.
- Train employees: Staff members who do have access to ePHI should receive training about how to securely handle this sensitive health care data. These sessions should be given a high priority, and should take place on an ongoing basis to ensure that accidents and negligent activities are reduced.