Dedicated to providing the latest
HIPAA compliance news

How Are Hackers Accessing HIPAA-Covered Data?

Share this article on:

Healthcare hacking incidents are on the rise. Recent security reports from the Verizon, HITRUST and Symantec all suggest that the cybersecurity risk is now at an all time high. The threat from hackers is very real; they are targeting healthcare organizations and when they gain access to healthcare computer networks they can steal many tens of millions of records.

Only this year, the Premera and Anthem hacking incidents exposed close to 90 million records, of which 11 million included healthcare data and Social Security numbers. But how are hackers gaining access to healthcare databases? What are the main risks to cybersecurity in the healthcare industry?

When data breaches are announced they are usually described to be “highly sophisticated” in nature. They would need to be to bypass multi-layered security systems, in which considerable time, money and resources have been invested. However these highly sophisticated attacks often involve some rather unsophisticated tactics. Tactics that include asking a person with access to Protected Healthcare Information to tell them their login details.

Phishing Schemes

Deceiving users into revealing passwords and other valuable information such as encryption security keys has been the method hackers used to gain access to huge databases of patient records, such as the intrusion at Anthem Inc., that resulted in the exposure of 78.8 million records and the HIPAA breach at Premera Health that is believed to have affected 11 million individuals, including exposing their Social Security numbers and healthcare data.

Phishing emails can be very convincing. Hackers spend a considerable amount of time and money designing emails to mimic those of service providers and other individuals that would appear to legitimately require user credentials to be supplied. It only takes one person to respond to provide login credentials for access to be gained and security measures to be bypassed.

Unpatched Software and Operating Systems

The Verizon security report indicated that in 99.9% of cases of security breaches caused by unaddressed security vulnerabilities, it was the failure to install software patches that caused the security breach. Software is released; security flaws are discovered; patches are issued to plug those security gaps. Software updates are often issued following successful attacks to prevent further intrusions. Developers have a constant job on their hands to keep operating systems and other software up to date and secure.

When patches are not installed it allows hackers an opportunity to break through defenses. The report found that all of the cases involving security breaches were caused by the slow response to security updates. In all cases a patch could have been prevented the breach, and a patch was available for more than 12 months prior to the breach occurring.

Virus & Malware Attacks

Once malware and viruses infect computers or servers they can be very hard to detect. They hide, make changes to programs to avoid detection and may even avoid detection on standard security scans. Recent cases of malware infections have exposed millions of confidential health records. A security breach at the Reeve-Woods Eye Center in December was caused when malware was inadvertently installed on two computers, with those programs taking a screen print of PHI as it was accessed. Approximately 30,000 records were compromised in the incident. Last month Advantage Dental discovered that Malware had been installed for a period of three days. The malware allowed login details to be gained along with 151,000 medical records.

Simple Protection Measures Can Thwart Hackers

The HIPAA Security Rule requires covered entities (CEs) to employ physical, technical and administrative controls to protect PHI. These safeguards include installing software patches promptly, keeping anti-virus definitions up to date and regularly scanning for viruses.

Viruses and malware can get through security systems when staff makes simple mistakes. It is therefore essential that the staff receives training not only on HIPAA Privacy and Security Rules, but also on how to identify phishing schemes, malware and other malicious programs. Policies should be in place to restrict the websites that users can view and what they are permitted to download, as far as it is possible without restricting their ability to do their jobs.

However, the most critical action to take – which is a requirement of the HIPAA Security Rule – is to conduct a full and totally comprehensive risk assessment to discover all security vulnerabilities that exist so that action can be taken to address those issues and manage any risk.

Final guidance on risk assessments has been issued by the Department of Health and Human Services’ Office for Civil Rights, while numerous organizations offer Security Risk Assessment Tools, such as those available on HealthIT.gov. Tips and Best Practice advice is available from the Centers for Medicare and Medicaid Services website.

Since the security risk assessment is critical – if all security vulnerabilities are to be addressed – and given that so many healthcare providers and health plans were found to be committing HIPAA violations over this aspect of HIPAA Rules, guidance should be sought to make sure risk assessments cover every aspect of PHI security.

CEs should also note that the security assessment is not a onetime action that needs to be undertaken to ensure compliance; it is an ongoing process that must take place after any material change in regulations, following updates to IT infrastructures and at routine intervals throughout the year.

Data Protection for Lost and Stolen Devices

Hackers may be targeting the healthcare industry for the PHI it holds on patients; however data exposures from lost and stolen devices account for the exposure of millions of records each year. HIPAA requires CEs to consider data encryption, although it is not mandatory – at a federal level at least – for data encryption to be used on all PHI that is stored. Some states, such as New Jersey, have put forward bills to make data encryption mandatory due to high volume of data breaches suffered and the high risk to cybersecurity that portable devices pose.

For devices such as laptop computers, tablets, Smartphones, memory sticks and pen drives, which are all easily lost and stolen, data encryption should be used. Otherwise any lost or stolen device containing PHI will constitute a HIPAA breach.

Data encryption is not the only solution, and neither is it infallible. Phishing campaigns can result in security measures being bypassed and security keys being obtained. Alternative – or additional – security measures can be employed such as the use of tracking software on portable devices, to at least be able to recover the data and put a stop to the breach. Software can also be installed that will allow the devices to have data deleted remotely in case of theft.

Given the number of data breaches that occur each year due to lost and stolen devices and the considerable cost of dealing with security breaches, CEs should give serious consideration to using data encryption or other methods to keep PHI protected in case of theft or loss of portable devices.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On