Cyber Criminals Want Your Data: Protect Your Patients—and Your Lab
Recent data breaches, from the much-publicized hacks of Sony and the retailer Target, to those more close to home: Anthem and Premera Blue Cross, two of the nation’s biggest health care insurers, have spotlighted the risk of cyber attack. The risk is so great that this February President Obama held a cyber security summit to discuss measures to address both publicand private-sector threats. Last spring, the FBI released a private industry notification (PIN) to the health care industry stating that health care is particularly vulnerable to cyber attack. PINs aren’t made public, but according to a report by Reuters, which obtained a copy of this one, it reads in part, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” Cyber attacks are also likely because health care data is particularly coveted by those who trade in black-market data. According to Alan Paller, director of research for the SANS Institute, an organization that offers IT security training and certification, “People pay as much as 20 times as much for health care data as they do for credit-card data.” It’s not hard to see why. […]
Recent data breaches, from the much-publicized hacks of Sony and the retailer Target, to those more close to home: Anthem and Premera Blue Cross, two of the nation’s biggest health care insurers, have spotlighted the risk of cyber attack. The risk is so great that this February President Obama held a cyber security summit to discuss measures to address both publicand private-sector threats. Last spring, the FBI released a private industry notification (PIN) to the health care industry stating that health care is particularly vulnerable to cyber attack. PINs aren’t made public, but according to a report by Reuters, which obtained a copy of this one, it reads in part, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
Cyber attacks are also likely because health care data is particularly coveted by those who trade in black-market data. According to Alan Paller, director of research for the SANS Institute, an organization that offers IT security training and certification, “People pay as much as 20 times as much for health care data as they do for credit-card data.” It’s not hard to see why. With credit card data, a black-market purchaser gets names, addresses, social security numbers. Health care records provide much more information, including next of kin, whom to call in case of emergency, and of course, details of health conditions. Health care data can also provide information useful in obtaining prescriptions for drugs. In addition, credit card data has a limited usefulness—people cancel their cards and change their account numbers when they’ve been hacked—but health care data is permanently useful. You aren’t going to change your family members or the fact that you have type 2 diabetes when your health care records are stolen.
It’s likely that the problem is already worse than most people realize, says Paller. Not all cyber attacks, perhaps only a small percentage, make the news. Cyber extortion may be as common as cyber theft. A hospital or other health care entity may receive an email telling them that their data has been stolen, providing evidence of the theft, and demanding a ransom to keep the theft from being publicized. Even if the victim pays the ransom (and the FBI typically advises them to do so, says Paller) the data is still sold—it’s a win-win for the thieves— but the public is none the wiser. Because of the delicate nature of investigations into this type of crime, and the fact that a system is particularly vulnerable to subsequent attacks until there has been time to locate the breach and repair the defenses, the authorities often recommend delaying a public statement, says Lisa Clark, health care attorney with Duane Morris in Philadelphia.
Big Trouble If your lab is the victim of a cyber attack, or your data is compromised in any way (even an internal mistake, such as a lost laptop or flash drive), you are required to file a report with the Office for Civil Rights (OCR) and notify anyone whose data may have been compromised, explains Rick Hindmand, a health care attorney with McDonald Hopkins in Chicago. If more than 500 individuals are involved, the breach must be made public as well. “The report filed with the OCR may generate an investigation, and depending on the circumstances, could result in penalties,” says Hindmand. In addition, the Federal Trade Commission can take enforcement action for inadequate information security practices as “unfair acts and practices” under section five of the FTC Act, adds Paula Stannard, an attorney specializing in health care law at Alston and Bird, and former deputy general counsel and acting general counsel of the U.S. Department of Health and Human Services. However, penalties are likely to be the least of your problems if you’ve had a serious data breach. Though HIPAA rules do not allow for a private cause of action, there are several ways for victims to file individual suits. “A number of courts, especially state courts, have looked to HIPAA as establishing a standard of care for health privacy in negligence actions,” explains Stannard. “If you fail to meet that standard of care, plaintiffs may have a private cause of action based on state negligence law in state or federal court.” If your security is breached, you’ll encounter many other, often unexpected expenses, even if the OCR doesn’t impose penalties and no patients file suit. The costs include legal representation, forensics to determine the cause of the breach and make repairs, notifying patients whose data was compromised, setting up a call center to answer patient questions, credit monitoring, and identity-theft protection for affected individuals—all this can add up very quickly. A 2014 study by Ponemon Institute estimated the cost of a data breach to be around $200 per record in the United States, with the health care industry having one of the highest costs per record of all industries.
How to Protect Your Data—And Yourself So what can you do besides wait and hope you’re not one of the ones who gets hit? You’ve had a risk analysis, your staff has been through HIPAA training, you’ve bought the latest software and keep up with security upgrades. What more can you do? “If you do everything right and meet HIPAA’s ‘reasonable standards’ of training, risk analysis, and so on, and you still get hacked, you aren’t likely to face any penalties, and your chances will be better in court if you are sued. But you should keep in mind that doing the minimum to satisfy the HIPAA rules might not be all that you can do,” says Hindmand. If you want to take security protection seriously—and it is in your interest as well as that of your patients to do so—then you may need to up your security game. Paller offers a few tactics you may not have thought about:
Big Trouble If your lab is the victim of a cyber attack, or your data is compromised in any way (even an internal mistake, such as a lost laptop or flash drive), you are required to file a report with the Office for Civil Rights (OCR) and notify anyone whose data may have been compromised, explains Rick Hindmand, a health care attorney with McDonald Hopkins in Chicago. If more than 500 individuals are involved, the breach must be made public as well. “The report filed with the OCR may generate an investigation, and depending on the circumstances, could result in penalties,” says Hindmand. In addition, the Federal Trade Commission can take enforcement action for inadequate information security practices as “unfair acts and practices” under section five of the FTC Act, adds Paula Stannard, an attorney specializing in health care law at Alston and Bird, and former deputy general counsel and acting general counsel of the U.S. Department of Health and Human Services. However, penalties are likely to be the least of your problems if you’ve had a serious data breach. Though HIPAA rules do not allow for a private cause of action, there are several ways for victims to file individual suits. “A number of courts, especially state courts, have looked to HIPAA as establishing a standard of care for health privacy in negligence actions,” explains Stannard. “If you fail to meet that standard of care, plaintiffs may have a private cause of action based on state negligence law in state or federal court.” If your security is breached, you’ll encounter many other, often unexpected expenses, even if the OCR doesn’t impose penalties and no patients file suit. The costs include legal representation, forensics to determine the cause of the breach and make repairs, notifying patients whose data was compromised, setting up a call center to answer patient questions, credit monitoring, and identity-theft protection for affected individuals—all this can add up very quickly. A 2014 study by Ponemon Institute estimated the cost of a data breach to be around $200 per record in the United States, with the health care industry having one of the highest costs per record of all industries.
How to Protect Your Data—And Yourself So what can you do besides wait and hope you’re not one of the ones who gets hit? You’ve had a risk analysis, your staff has been through HIPAA training, you’ve bought the latest software and keep up with security upgrades. What more can you do? “If you do everything right and meet HIPAA’s ‘reasonable standards’ of training, risk analysis, and so on, and you still get hacked, you aren’t likely to face any penalties, and your chances will be better in court if you are sued. But you should keep in mind that doing the minimum to satisfy the HIPAA rules might not be all that you can do,” says Hindmand. If you want to take security protection seriously—and it is in your interest as well as that of your patients to do so—then you may need to up your security game. Paller offers a few tactics you may not have thought about:
- Take special precautions with all access points, places where physicians, patients, clinics, or other labs can access your data. If physician clients have passwords that allow them to access your data, they may not keep it secure. Use the latest encryption methods for an additional level of protection. Make sure all email communications with providers are encrypted. There are many potential access points to your data. These access points may seem harmless in the big picture of protecting patient privacy, but are potential weak spots that can be exploited by hackers.
- Periodically update your security risk analysis. Don’t do just the basic minimally required analysis, hire security consultants and dig deep.
- Encryption is the expectation—passwords are not enough. Encrypt all sensitive data.
- Move to next generation firewalls. These protect against sophisticated attacks by identifying what kind of data is coming through the firewall and making a determination about how to respond based on the type of traffic coming through the network. These newer firewalls are far superior to the previous generation.
- Consider installing end-point protection that tests attachments by opening them in an enclosed space (called a sandbox). This could be especially useful when getting patient data from hospitals and clinics.
- Perhaps most important of all is white listing. This keeps people—even if they can get in to your system—from being able to install any applications on your computer. People often don’t take this relatively simple step because it can be inconvenient, says Paller. If an employee is working from home and needs, say, to connect to a printer, if he hasn’t been added to the white list, he won’t be able to get the job done until he’s back in the office. This inconvenience is small compared to the protection offered by white listing.
- Consider buying cyber security insurance to cover the costs you will encounter in case of a breach—even if you are cleared of wrongdoing.
Subscribe to view Essential
Start a Free Trial for immediate access to this article