The Pain Treatment Centers of America (PTCOA) recently released a HIPAA Security Notification that a 2015 data breach may have exposed the personal information of as many as 19,000 patients. This healthcare data breach involved hackers accessing EHR system files through data servers owned and operated by a third-party.
The breached files included patient medical records, along with health visit information, name, address, health insurance information, driver’s license number or other ID and, in some cases, a Social Security number. As is standard in data breach situations, PTCOA offered affected patients credit alert protection for one year.
The healthcare industry is no stranger to healthcare data breaches. A new report published by IBM called 2015 “the year of the healthcare breach” with more than 100 million healthcare records being compromised. Whether the breach is caused by a malicious attack, stolen or lost assets such as laptops, insider and privilege misuse, miscellaneous errors, such as improper device disposal or mishandling PHI, once this sensitive data is out, it is out there indefinitely. Most – if not all – of the healthcare files currently cannot be rendered useless once they are stolen. Current compliance and legal systems seem to look after the businesses but not the patients. While patients whose records have been compromised are given a year or two of credit alert or identity protection, they have the burden of these breaches the rest of their lives.
There are all kinds of recommendations from so-called experts to encrypt files in storage (at rest), when they are emailed or shared via file shares (in motion), employee training, monitoring and use of technologies like end-point protection or data loss prevention systems. With all of these measures, there is still weekly if not daily news on healthcare data breaches. So, what is missing you might ask?
Most if not all healthcare environments simply pursue “compliance” rather than “security”. Convenience is preferred over locking patient information down properly and as a result patients suffer.
Health records typically contain credit card data, email addresses, social security numbers, employment information and medical history – much of which remain valid for years, if not a lifetime. While businesses get off with simply a scratch after a PHI breach, patients are left to deal with it for a lifetime.
The healthcare industry’s approach to cybersecurity is behind the times. Encryption needs to be used on health data and files, and owners of this data need to control who has access to it and what they are allowed to do with it regardless of location and device. There also needs to be some way that PHI can be rendered useless as needed.
What is missing within the healthcare industry is a data-centric approach. Even if a healthcare organization has perimeter security tools and encryption to protect information at rest and in motion, most – if not all – lack protection for when PHI is in use. EHR/EMR systems may protect information within the system but when an authorized user is given access, PHI can be localized, copied, printed or users can snap a picture with a phone. There is a huge threat gap being ignored.
The recent Verizon 2016 Breach Investigations Report stated that Healthcare data breaches in 2015 were more likely to be caused by human error than anything. Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors. It is time for healthcare to close the threat gap and keep up with the times. The industry can benefit from implementing a Data Security Framework to identify where sensitive PHI is, control access through policies and monitor usage.