HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2015 Healthcare Cybersecurity Threats

The healthcare industry is facing an elevated threat of attacks by hackers and healthcare providers and insurers are being targeted for the data they hold on patients and plan members. The threat does not only come from cyberspace, as thieves are on the hunt for the laptops and mobile devices of healthcare professionals for the information they contain.

Personal information and healthcare data carries a high value on the black market, and Social Security numbers, personal identifiers, ePHI and Medicare details are impossible for criminals to resist, especially when the databases storing that information contains tens of millions of individuals records and has substandard protections.

Healthcare Data Privacy and Security Threats

Healthcare organizations must fight a battle against cybercriminals on many fronts. HIPAA-covered entities must shore up defenses and thoroughly assess their organization for weaknesses, before implementing a plan to manage any potential security risks that are identified. Multi-level security systems must then be installed to ensure data is properly protected, access to ePHI must be controlled and monitored and rapid action taken if breaches are discovered.


Anthem Inc was recently targeted by a hacker who managed to steal the data of up to 80 million health plan members. Healthcare organizations are being increasingly targeted based on the volume of data they store and the security controls in place to protect it.

Please see the HIPAA Journal Privacy Policy

All covered entities must employ robust firewalls and implement multi-level security systems to prevent external access to internal systems and make it harder for hackers to obtain access to data.

Malware & Viruses

4.5 million records were stolen in a 2014 attack on Community Health Systems of Tennessee, with a group of Chinese hackers believed to have used malware to obtain access to the data.

Healthcare organizations must use antivirus software as a preventative measure against viruses and malware and automatically update definitions. Detailed scans for malware and viruses should also be conducted regularly.

Firewalls and Network Protection

Firewalls prevent external access to computer systems, but only while they are active. The disabling of firewalls can enable confidential data to be accessed by unauthorized individuals and even listed in the search engines.

Policies must be developed – and procedures introduced – to ensure network security constantly monitored and firewalls checked. Touchstone Medical Imaging exposed 301,700 records in 2014 due to a deactivated firewall.

Unencrypted Devices

The loss and theft of unencrypted devices is one of the biggest causes of HIPAA breaches. Password protection is insufficient to protect healthcare data; therefore data encryption should be used on all devices (or a suitable equivalent security measure) to prevent third party access. Last year Sutherland Health Services exposed 342,000 records when two unencrypted laptops were stolen.

Employee Snooping

Employees improperly accessing patient data are a constant threat and one of the most difficult security issues to tackle. While the risk of internal theft cannot be eliminated, covered entities must ensure the staff is aware of HIPAA Privacy and Security Rules and of the penalties for snooping. Full access logs must be maintained to ensure network privileges are not abused.

Insecure Disposal of PHI

All digital equipment capable of storing information must have all stored data securely erased prior to being decommissioned. In 2010, Affinity Health Plan Inc., exposed 344,579 records by failing to delete data stored on photocopiers.

HIPAA covered entities must maintain an inventory of all computer equipment, mobile devices and hardware and ensure that any stored data is permanently and securely erased before recycling or decommissioning. This includes computers, pen drives, laptops, tablets, photocopiers and digital printers.

Insecure Messaging.

Mobile devices such as smartphones, tablets and pagers can easily be used to communicate Protected Health Information. Surveys suggest healthcare professionals are regularly violating HIPAA regulations by using the devices to communicate ePHI and personally identifiable information.

All mobile devices must have secure messaging software installed – or other forms or data encryption software – before they can be used to transmit ePHI.

Security Risk Analyses and HIPAA Compliance Audits


A comprehensive security risk analysis must be conducted to identify all potential threats and vulnerabilities and policies and procedures developed – and documented – to ensure healthcare and personal data is appropriately protected.

The pilot audits conducted by the Department of Health and Human Services’ Office for Civil Rights demonstrated security risk analyses to be a major area of non-compliance.

The Office for Civil Rights plans to audit healthcare providers, clearing houses and health plans in 2015 and can fine organizations found to be in violation of HIPAA regulations, such as a failure to implement appropriate controls to protect ePHI.

Have your data privacy and security policies been updated recently and have you done enough to secure patient health data and avoid a fine for non-compliance?

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.