HIPAA – Then & Now
The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).
With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.
23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.
The Digital Age
Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.
Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.
Hackers Exploiting Healthcare
According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.
So, why are hackers setting their sights on healthcare organizations? There are several reasons.
PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.
Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.
Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.
Acknowledging the Cybersecurity Problem
With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from the cybercrime epidemic?
Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.
In December 2018, HHS issued cybersecurity guidelines for the healthcare sector in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.
In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.
How Do We Fix This?
- Don’t wait around for a regulation. It’s evident that we cannot wait around for HIPAA to change, or in hopes of Congress passing a federal law to better protect the privacy of patients and consumers.
- Take a look around. It is critical for both Covered Entities and Business Associates to take a closer look at the patient data they are protecting. Remember, cybercriminals don’t just seek out financial information, but rather, information that could yield a large profit for them, whether that be a birthdate, a Social Security number, or anything in between. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
- Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
- Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
- HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.
Technology will continue to advance, and hackers will continue to do the same when it comes to ensuring their skill set matches the need necessary to exploit these ever-evolving devices and systems. It is up to us to ensure that we continue to evolve our cybersecurity practices, which in turn will help us better protect PHI in the digital age where HIPAA has left holes.