Health Data Is More Valuable Than You May Think
Written by Editor   
Tuesday, April 05, 2016 12:00 AM

HIPAA is something that we are all concerned with.  There is a tendency to think that it is less than important to protect patient information, but learn more from this article.  What is more valuable to a hacker than someone's credit card information? Their protected health information [PHI].  If you go out on the "deep web" where people sell stolen goods, a credit card may be valued at $1 to $2 but your PHI can sell from $20-$200.

"Your Social Security number, if I had that, and I was an attacker, I could continue to use it again and again ... This is why many entities are coming for your PHI," said one security expert.  When it comes to unsecured PHI, there are two types of data: "data you know about and data you don't," he said. At one company "I found a maintenance closet; it had no key, no video, no lock. As we walked into the closet ... We found a little over 6 million individual paper records in that room."

The notion that protected healthcare information isn't very valuable is just one of the misconceptions to which many in healthcare subscribe.  

Most organizations have many vulnerabilities. Firewalls should be updated and reviewed every 6 months.  In addition to firewall issues, some healthcare organizations think HIPAA doesn't apply to them. They'll say they're too small -- maybe they are a one- or two-provider shop. Or "I store my data in the cloud and the cloud provider does everything for me.

Another frequent response is, "Our IT department and attorneys have us covered." 

Some organizations think their business associates will take all the liability. But remember, liability is always going to be a shared responsibility between the two of you.  The business associates likely have vulnerabilities, risks and threats that will put your systems at risk.

Social engineering -- people who integrate themselves into your workplace to steal data -- are another threat healthcare organizations don't often think about. We spend a lot of money on really awesome products, but the biggest weakness in your organization is always going to be your people.  And it's not necessarily the IT department either. One security specialist noted, "if I were social engineering you, I wouldn't come in as IT, I would come in as janitorial," he said. "They have keys to everything, and they come in at night when no one is looking."

He recommended a few steps for healthcare organizations to follow:

  • Perform a risk analysis. "This should be done annually; it will identify many things."
  • Send weekly security tip reminders. "Get the staff excited about what they're doing wrong; explain how this impacts patients."
  • Maintain individual user accounts for everything. "Just because an electronic health record forces a username and password doesn't mean we're compliant. What's the accountability at the network level? What if malware is uploaded?"
  • Update systems and applications. "I get older and fatter, and systems are the same way; they need to be updated. Critical updates should be put in within one month of release."