What the worst that could happen? 3 healthcare data breach stories aren’t for the faint of heart. Find out how to protect your company from similar outcomes
Breaking news. July 25th, 2019. Northwood, a medical equipment benefits administrator in Michigan had to notify their many healthcare partners that their patient data had been compromised after a hacker bypassed security to access and employee’s email. As a result, over 15 thousand patient records were affected. After spotting seemingly nefarious activity on the email, security was alerted. But they determined that the entity had had access for three days, an eternity to steal patient data. Diagnoses, social security numbers and more were among the causalities.
Alert! Nearly four thousand patient records compromised when Cancer Treatment Centers of America experienced an email hack. If only this were an isolated situation. But unfortunately, it’s the third within a short time as those seeking to do harm deploy email phishing attacks at the company on a regular basis just waiting for someone to take the bait. This time the hacker had access for 11 days.
Not again. American Medical Collection Agency (AMCA) experienced an eight-month hack of patient data that exposed over 25 million patients’ information. Over 20 of their partners were affected, including names you know like Quest Diagnostics and LabCorp. Laboratory Medicine Consultants claims that their business associate, AMCA “downplayed” the incident, leading them to believe that the breach was much less impactful than it was and causing the need for more extensive investigation.
These breaches are recent and investigations ongoing so at this time we can’t quantify the personal casualties, HIPAA penalties or lawsuits that will likely result for both the business associates and the hospitals, labs and other medical providers that trusted them to protect their patients from third-party data breaches.
Stories like these remind us of the impact of healthcare business associate data breaches and the importance of putting systems in place to protect patients and our healthcare company’s financial interests. Let’s explore the solutions that these companies and their partners, unfortunately, implemented too late to prevent the data breaches but you can proactively employ to prevent a similar fate.
As a healthcare organization, you work with several third parties who have access to varying levels of patient data. And we couldn’t function without them.
You need business associates to:
While a BAA won’t completely protect you when business associate data breaches occur, it does outline what your partner is doing to keep patient data safe. This allows you to evaluate their standards and make the best decisions for your organization.
Patient information should always be on a need-to-know basis. For example, a collection agency doesn’t need diagnosis information to collect on a debt. But you could be unwittingly sending this if you simply send over un-redacted patient records. You’ll find many examples of similar cases, so evaluate your exposure and limit the risk.
You can have the highest level encryption, firewalls and anti-virus, but a phishing email can help a hacker bypass all of it. Typically, an employee receives an email asking them to click a link. That link may lead somewhere that looks familiar, encouraging them to enter a password. Or the link may cause the download of a file that compromises security. Stay informed about the risks and continually update your teams about the types of tricks hackers use to access patient data.
We all know that there’s an app for that. Apps make our lives easier and can do almost anything. And in a business where time is money, we’re always looking for ways to increase productivity, patient satisfaction, inventory management and more. But any third-party software, even if it’s a trusted name like Microsoft or Google, is an opportunity for those trying to access patient data to do so.
Know who your partners are and what security measures they employ. Some software companies have varying levels of security on their software. And we can assure you that if someone in your company is using the “free version” of a service like Dropbox or Google Drive, it doesn’t have the security you need.
Work with IT security experts to evaluate their security measures. And know that software companies also need to sign a BAA if you will be giving them access to patient data. If they won’t sign it, choose another application.
Are these technologies high-caliber enough for healthcare? Are they able to reduce the risk of today’s modern security threats, which are often clever and highly convincing?
Once again, if you don’t have the high-level security expertise in-house, consult with experts who can evaluate your risks and recommend solutions.
The average IT director or manager may be very good at his or her job. But today’s security risks extend beyond the training and knowledge of even the best IT professionals. You need to work with security specialists who understand the risks because they manage and eliminate those risks for healthcare companies every single day.
Working with business associates is essential to the function of any healthcare organization, but you don’t have to take on that additional risk when you work with professionals who can help you evaluate those partnerships and keep patients safe.