For health care providers, exposure to cyberattacks is becoming a stark reality. Findings in a recently released Health Care Cyberthreat Report by cybersecurity leaders confirmed the health care industry's vulnerabilities for cyberattacks. The Report attributed such vulnerabilities to a lack of progressive cybersecurity strategies and controls and the increasing amount of electronic protected health information (ePHI) being exchanged over the Internet.
Just days prior to the Report's release, The Wall Street Journal reported that a national cybersecurity firm discovered information from providers on a popular website hackers use to post data, 4shared.com. The data included PHI and information that could be used to access provider networks. A search by The Wall Street Journal on 4shared.com found compromising information from three New York nursing homes, which reflects how cyberattacks can have compounding effects when information is disseminated beyond the hackers.
Key takeaways of the Report include:
- Hackers not only obtained patient information but also gained access to devices within the organization. Compromised areas included radiology imaging software, video conferencing and digital video systems, and security systems such as VPNs, firewalls, and routers.
- Hackers did not discriminate when choosing their targets. Among the Report's sample, compromised entities included small and large health care providers (including physicians and health systems), medical supply companies, health plans and clearinghouses, pharmaceutical companies, at least one state human services agency, and other health care related organizations.
- When implementing new security systems, most network administrators properly changed the factory defaults, but some overlooked other devices attached to the network. These devices can include printers or fax machines, which PHI inevitably crosses at some point.
- Health care providers cannot ignore the cost associated with unauthorized access of ePHI through cyberattacks. In addition to fines or settlements for HIPAA violations, the Report indicated that health care organizations pay an estimated $233 per compromised record for other related expenses, such as notifying victims, incident handling, credit monitoring, and projected lost opportunities.
What Providers Should Know
- Unauthorized access to ePHI translates into HIPAA violations for health care providers, other covered entities and business associates. With an increasing amount of health data stored online, covered entities and business associates cannot ignore the threat that a lack of cybersecurity poses. Health privacy and security officers should identify any points of access that could leave providers vulnerable to cyberattacks and act accordingly to minimize their risk.
- As the volume of ePHI stored online and susceptible to hackers increases, so do the costs associated with cyberattacks. In a recent breach due to a website glitch that exposed the PHI of approximately 612,000 individuals, health care insurer WellPoint paid almost $2 million to settle potential HIPAA violations. Considering other costs associated with such a sizable breach, the Report estimated that potential expenses could excel $142,689,000. Although not attributed to a cyberattack, the WellPoint breach nonetheless illustrates the potential liability that health care organizations can incur when the security of ePHI is compromised online.
- Be aware that medical equipment like dialysis or diagnostic imaging machines that are administered or updated remotely can expose a health care provider to additional cybersecurity risks if the data these machines process is not protected properly. Hackers can gain access to any ePHI stored on the device, use the device as a point of entry into the provider's network, or even cause physical harm to patients by hacking into the device.
- Assessing the true security risks that health care providers face goes beyond evaluating compliance with HIPAA and similar state laws. Providers may be compliant with the law, yet still have security risks that need attention. Compliance and security are not one and the same.
For More Information
To access the SANS Institute Report, click here.
To access The Wall Street Journal article, click here.
For questions on the contents of this alert, contact an attorney listed within this communication.