In the first half of 2016 alone, there were 263 health data breaches, reports Healthcare IT News. The number of individuals affected by a protected health information breach skyrocketed from less than 600,000 in 2010 to just under 112 million in 2015, according to the U.S. Department of Health and Human Services.
Protected health information (PHI) is a prime target for hackers and cyber criminals because in many cases it is easier to steal than credit card data or financial records. It’s also far more valuable, since health records contain all of a patient’s personal, medical, and financial data. Are you doing enough to protect yourself, your practice, and your patients?
Why hackers target health care
Health care has typically lagged behind other industries when it comes to investing in IT and data security, according to Medical Economics. That fact, combined with the shift from paper to electronic records has made health care particularly vulnerable to data breaches.
Most doctors are now using EHRs, which include not only patients’ medical histories, but also their personal and billing information — basically everything a hacker would need to steal a person’s identity. “On the black market, stolen health records command the highest premium … because the contents of EHRs provide cyber criminals with everything needed to wreak financial havoc by applying for credit cards or mortgages in another person’s name or even submitting tax returns,” reports Medical Economics.
Health care’s biggest vulnerability is its very dependence on the data it must protect, health care attorney Pam Hepp told Healthcare IT News. The problem isn’t just the security of the EHRs themselves, but rather the number of people who rely on access to that data, and the different ways it’s accessed. That gives hackers the ability to perform phishing expeditions or even ransomware attacks, targeting not only people but also the EHRs housing patient data, Hepp explained.
“Providers are very much dependent on these records, but also other technologies like medical devices and apps that provide different avenues for hackers to gain access into their system,” Hepp said. “There’s also the added issue of vendors or other third parties these providers don’t have complete control over.”
Be mindful of mobile
The growing popularity of mobile apps only amplifies security issues. The number of doctors who utilize mobile EHR apps increased from 50 percent in 2013 to 78 percent this past year, according to the 2016 Physicians Practice Technology Survey.
Clinicians who use mobile EHRs or other mobile health applications “should be careful of the privacy implications in carrying PHI in the palm of their hands,” cautions Physicians Practice, citing an IT security report showing that 84 percent of U.S. FDA-approved mobile health apps contained significant security vulnerabilities.
Yet fear of compromising patient data should not keep doctors from embracing mobile health tools. This is where a good bring-your-own-device (BYOD) policy comes in. As we’ve discussed in a previous post, a BYOD policy ensures that all mobile devices used to access PHI, especially doctors’ and employees’ personal devices, are secured with the same data protection technologies used in the practice.
How to protect your practice and your patients
Most practices are not budgeting enough for cybersecurity because they think their practices are too small to attract the attention of hackers, say experts. This is a mistake. “Losses incurred as a result of a data breach can be worse than a direct tangible property loss such as from a fire or tornado … Many cyber-criminals consider physician practices to be low-hanging fruit because they have not kept up with technology,” reports Medical Economics.
So what can you do? Sara Hempfling, vice president of treasury management at Enterprise Bank and Trust, recommends that all of her medical clients purchase cyber liability insurance. Large companies may pay about $2,500 per month for $1 million in coverage, but smaller businesses often pay much less and some coverage is often included in standard professional liability policies, Hempfling told Medical Economics.
Employee training is also a critical part of protecting your practice from cyber criminals. In addition to educating staff on your BYOD policy, teach them good security habits, such as using strong passwords and changing them frequently, keeping antivirus protection and software up to date, and not using unprotected Internet connections. See HealthIT.gov for more cybersecurity tips and best practices.
While there’s no “one size fits all” solution to cyber threats, stated Medical Economics, “overall awareness is one of the most crucial tools needed to better protect information.”
For more articles like this, check out the Practice Management section of our blog archives and sign up for our newsletter.