The Devastating Consequences Of A Medical Data Breach

Summary: This 3-minute article explores the issues related to cyber security for medical data. Learn the importance of following all high-compliance regulations and security measures and understand the consequences of a medical data breach, including the possibility of medical identity theft. Contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com for a cyber risk analysis and to discuss what can be done to lock down the overall security protecting all your private business data.

Anyone whose home or business computer system has fallen victim to a cyberattack understands the frustration and helplessness prompted by any data breach. However, for a high-compliance business, such as a medical practice, the consequences can include loss of patients, lawsuits and possible bankruptcy. Private medical information is one of the most closely regulated and compromised forms of data. Medical organizations and professionals are charged with doing everything possible to protect your Protected Health Information, and failure to do so can put your identity and their reputations at risk.

What Is Protected Health Information (PHI) And What Is Considered PHI?

The Health Insurance Portability and Accountability Act (HIPAA) sets strict rules for protecting health information. According to the United States Dept of Health and Human Services (https://www.hhs.gov/ hipaa/ for-professionals/ privacy/ special-topics/ de-identification/ index.html#protected), “The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2. Protected health information is information, including demographic information, which relates to:

• the individual’s past, present, or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

There are only three permitted uses for Protected Health Information:

• Treatment for patient medical issues
• Operations and activities related to the healthcare of patients
• Medical payments

Every other use of PHI is prohibited. Maintaining the highest possible cyber security for private medical data is vital for doctors and medical facilities to operate legally. HIPAA laws protect the following:

• Names
• Addresses
• Telephone numbers
• Email addresses
• Social Security numbers
• Special dates related to the patient, dates of hospitalization, birthdays, etc.
• Fax numbers
• Photos of a patient’s face
• Medical record ID numbers
• Medical bills
• Health insurance information, including lab reports
• Automobile VINs and license plate numbers
• Account numbers
• IP addresses
• Biometric authenticators such as fingerprints and voiceprints
• Driver’s license numbers
• Website URLs
• Any other patient identifying numbers

What Can Hackers Do With PHI?

Protected private information is one of the most valuable personal assets stolen by cybercriminals. In contrast to banking information, the data is unlikely to change over time. Also, because of the complex nature of the information, identity theft is a possible severe threat. Once hackers have successfully stolen PHI, they can use it to receive healthcare treatment, buy prescription drugs or present false medical insurance claims and begin the process of stealing your identity.

Since the onset of the pandemic, there has been a >70% increase in PHI theft. Doctors, hospitals and medical practices were pushed to overwhelming activity levels, distracting medical professionals from following all PHI rules. Also, expanded remote access and the work-from-home environment challenged employers and employees to remain vigilant concerning PHI protection compliance.

Protecting Personal Health Information

The healthcare industry is required to follow HIPAA laws to protect the security and privacy of healthcare information. The rules apply to all healthcare professionals (doctors, nurses, etc.) as well as hospitals, medical centers and rehabilitation facilities. In addition to the law, there are specific protection requirements related to administration and other PHI safeguards. These requirements include mandatory employee training, access limitations and data encryption.

To maintain the highest compliance levels, healthcare providers must conduct regular risk analyses and take all necessary actions to keep PHI locked down. Although there are no 100% guarantees that private data won’t be breached, the utmost care must be taken to avoid PHI hacks.

Our protected health information is very important to us. However, it is important to remember how valuable your data is to hackers. Therefore, patients and healthcare providers must be vigilant about applying all required compliance and safeguards to protect PHI.

Data security and compliance are too important to be left to amateurs. Unfortunately, even computer-savvy users are not equipped to understand all the facets of PHI cyber security and ensure all safeguards are in place. Therefore, all high-compliance organizations and professions should consider employing IT experts to perform a cyber risk analysis to identify your vulnerabilities and install the best possible data security. In addition, as your practice’s reputation and solvency are on the line, it is also prudent to hire legal compliance specialists to be sure all of your business’s high-compliance requirements are fully met.