HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How To Strengthen Defenses Against HIPAA Data Hacking

The large scale data breaches that affected Anthem and Premera Blue Cross this year – and Community Health Systems in 2014 – are a sign of things to come. Healthcare providers, insurers, healthcare clearinghouses and healthcare business associates must face up to the fact that the game has now changed, and cyber attacks are now an inevitability, not just a possibility.

Criminals have previously concentrated on obtaining credit card numbers to commit fraud, although following the major breaches of last year at Target and Home Depot; action is being taken by the retail industry to implement new safeguards and protect consumer data.

As the $7 billion retail industry improves defenses, hackers are turning to other less protected industries and the healthcare sector is the prime target. Thieves are now concentrating on obtaining Social Security numbers to sell on the black market. These numbers, especially when accompanied by healthcare data and other personal identifiers, can be used to commit identity and medical fraud, allowing criminals to commit millions of dollars of identity fraud, with a much lower risk of being caught.

While direct hacks of servers are still taking place, one of the main ways criminals gain access to healthcare databases is by using malware and email scams to get users to reveal their login names and passwords. This year’s two mega data breaches at Anthem and Premera were both caused as a result of criminals obtaining the login credentials of members of staff, by tricking them into revealing them.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While it is possible to strengthen defenses against hackers, employees must also be trained on how to spot phishing attempts and malware. Implementing data security measures carries a high cost, and while that cost is far lower than the cost of responding to a data breach, finding the funding for data security can be difficult.

However, there are some simple steps that can be adopted which can greatly reduce the risk of hacks and data breaches, many of which are relatively inexpensive:

Provide Staff Training

All staff must be trained on HIPAA Privacy and Security Rules and must be taught how to identify malware and viruses. They must also be thoroughly trained about the circumstances under which PHI can be released, and to whom.

Strengthen passwords

Weak passwords are easy for hackers to guess, and this can be a quick and simple way into computer systems. Implement a new policy on passwords, include upper and lower case letters, a mix of letters and numbers and make each a minimum of 8 characters. All factory default passwords, on computers, routers and other equipment must be changed.

Segment the Network

It is essential that data is stored securely on a dedicated local server or in the cloud (using HIPAA-compliant services) and to only allow access to that data via specific internal nodes. Employees must be prevented from being able to access PHI while connected to the internet. Data should be segmented, as far as is possible, to ensure that if one server is compromised, the entire patient database of health records, financial information and personal identifiers is not compromised.

Backup all data

All healthcare data must be backed up routinely to ensure that in the case of an emergency it can be recovered. While cyber criminals want data to sell on the black market, some just want to cause disruption while others may hold data for ransom. It is essential that thieves are prevented from deleting or altering PHI.

Encrypt data in transit

Data in transit is easy to intercept, so it is essential that all mobile devices, email systems and FTP access to PHI is protected by data encryption when in transit. As pagers are replaced with mobiles, it is imperative that those devices are made secure, such as by using secure messaging software, if they are to be used by doctors and other medical professionals for accessing PHI or communicating patient health information.

Encrypt all stored data

Stored PHI does not need to be encrypted under HIPAA regulations, although it is an addressable area. Now, with the threat of hacks at an all time high, any organization that does not implement a data encryption solution, even an inexpensive option, will be exposed to attack.

It may not be possible to implement security controls that will make it impossible for hackers to gain access to computer systems, but it is possible to make it much harder. An attack is likely to happen, but it may be possible to convince the thieves to move on and look for much easier targets.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.