Data Breaches and How you can Prevent them
Introduction
It should come as no surprise to professionals that data breaches and security hacks are a concern for businesses across the world. But, it may be surprising to learn that a Raytheon study found that 97% of networks will experience a security compromise over any six-month period.[1] That means that businesses of all sizes, professions, locations, and structure are prime candidates for a cybersecurity attack—including, in particular—healthcare organizations.
In 2017, global data breach damage costs exceeded $5 billion, and that number is expected to increase exponentially with time.[2] The biggest threats to cybersecurity across all professions? Weak, default, or stolen password.[3] A 2017 report on data breaches in healthcare found that health care was the second most popular industry to experience an attack, and 72% of those attacks were made possible by an internal breach.
The Unique Case of Health Care
Health care is a prime target for security breaches because of two critical factors: highly valuable patient information and steep liability. In 2016, there were at least 377 known healthcare data breaches, and more than 87% of healthcare lawyers believe that healthcare organizations are at a greater risk of cybersecurity attacks than other industries.[4]
Patient Data
Patient data is ripe with profitable information. A typical patient file, including medical records and payment information, will include a litany of data points that any hacker would love to obtain. Personal information, like age, address, and Social Security number, is easily sold to willing buyers who want to steal identification. Financial records include insurance information and claims reports, which are often used for filing fraudulent claims in an effort to collect payouts. And, of course, there’s patient health information, which can be sold on the black market for 10 to 20 times the amount of cash as personal information. Stolen patient data enables a hacker to order and resell expensive drugs, commit medical identity theft, and more.[5]
Risk factor: Liability
Because of the vulnerabilities of protected health information (PHI), the Federal government vowed to hold healthcare providers liable for lost or compromised patient data under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. Designed to protect the privacy and security of individuals, health providers are deemed responsible for properly securing and protecting patient information. The red flag for medical providers appears when it comes to identifying the entity held liable for data breaches of this type of information, as the HIPAA Privacy, Security, and Breach Notification Rules explicitly state that the rules apply to all HIPAA-covered entities including business associates.[6]
This seemingly innocuous information is critical for health care organizations to know and understand. In short, providers are held responsible for data breaches even if their vendor is responsible for the breach.[7] Third-party vendors like billing services, legal entities, payment processing companies, and health management information systems can all be the sources of a data breach for which the provider organization is held responsible.
Risk factor: More employees
Many small- and medium-size healthcare organizations feel that they are the underdog in the battle of fighting security attacks. Limited budgets make high-dollar malware detection software or fulltime staff dedicated to security unrealistic. While this argument may seem practical at its core, the data and research tell a different story.
Smaller businesses and organizations are not necessarily more likely to be impacted because of lower prevention budgets. In fact, a 2017 study reported that larger hospitals and teaching-focused facilities can create higher data breach risk—a result of increased exposure at the individual level.[8] As more and more people are given access to patient data, potential sources for a breach increase simultaneously.[9] These sources include stolen credentials, lost devices like cell phones or laptops, simple mistakes, or security ignorance.[10]
Risk factor: Outsourced Services
Hackers go where the money is, so the more patient records you have, the bigger a target you are.
The healthcare industry is also seeing an increased number of providers using foreign software vendors and billing services. Although offshoring is not illegal, it poses particular risks to healthcare organizations, particularly in the areas of compliance and legal issues. For instance, although a healthcare organization follows HIPAA compliance rules and performs due diligence on its vendors, HIPAA does not directly address all potential privacy and security risks to an organization.[11] In other words, although an organization and its business entities follow HIPAA compliance and guidelines, it does not remove liability if an offshore IT or support department with access to unencrypted data is breached.
Additionally, offshore vendors are not held to the same safeguards and reporting requirements that are required within the United States, meaning a healthcare organization may not actively know about a security breach that occurred in an offshore vendor network.
Risk factor: Outdated Technology
An assessment of healthcare data hacks revealed that medical organizations are particularly vulnerable to hackers due to the general age and inadequate nature of healthcare technology infrastructure.[12] In comparison to other markets, like banking and retail, technology in the healthcare industry is slow to change, making it much easier to hack.
Most of the major healthcare practice management software systems were built with old technology and originally written well before HIPAA or security issues were a concern. Most old technology, while it may run on today’s computers was never designed to be secure. Patches have been added so it can meet HIPAA’s very weak requirements, but it leaves its users very vulnerable to a hacker’s attack and data breach. Most old technology is no longer supported or updated by its creator, like Microsoft. Software developers all want to work with the newest technologies, so even finding a software developer who can work with the original software code becomes difficult leading to a ‘what you see is what you get’ software. When accessing fines and penalties for a data breach, the efforts taken or not taken by an entity to prevent a data breach are considered when assessing the fines so using old technology software for processing confidential patient data may prove to be penny wise and pound foolish when the data breach is discovered.
Implications of Data Breaches in the Medical Profession
Businesses are spending more and more every year to recover from a security breach, regardless of industry. From lawyer fees to security updates to technology repairs, the average total cost of a security breach exceeds $3.5 million.[13] In healthcare, that number rises to more than $4 million on average.[14]
The HIPAA Breach Notification Rule requires that covered entities notify all affected individuals, HHS, and, in some cases, the media when a breach is detected. In addition, the Notification Rule requires that the communication must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.[15]
A commissioned 2017 study[16] found that the disclosure of a data breach has a profound impact on a business’s brand, including:
Methods of Security Protection
Encryption
One of the core methods of protecting private information and patient data is through encryption. Properly encrypted data deters hackers, as it offers only scrambled text and information with no decipherable decryption code. Encryption uses an algorithm to turn plain text, like letters and numbers, into an unreadable code. To unscramble the information, an encryption key is required.
Encryption is widely considered a best practice, particularly in the healthcare industry, but it is not mandatory under HIPAA. If a business is HIPAA-compliant, it is not necessarily protected from a data breach or absolved of responsibility in the case of a hack.
The Need for Ongoing Encryption
Encryption offers healthcare organizations a method of data and company protection by removing the ‘confidential’ status of the data. According to HIPAA guidelines, data that has been encrypted is no longer confidential, and therefore not subject to breach reporting requirements.
The National Institute of Standards and Technology, which is part of the U.S. Department of Commerce, issued a special publication, Guide to Storage Encryption Technologies for End User Devices, to help organizations mitigate their risk and exposure in storing data. The recommendations outline the various forms of encryption and technologies as well as the laws and regulations that define the need for proper storage and security.
One notable exclusion from the recommendation is the lack of requirement to encrypt sensitive data except when in transport. As a result, most software solutions available to businesses encrypt data while in transport but the data is stored in their database as unencrypted, thus exposing sensitive information to anyone with access to the database.
Even if the database is stored on an encrypted drive, the data is plainly visible to someone with authorized access to the drive.
This exposure is where all medical organizations and practices should identify a red flag: When data is at rest, it is at risk.
The ‘Always Encrypted’ Problem
SQL Server attempted to improve its security by offering enterprises an ‘Always Encrypted’ feature in its 2016 release. The feature offered a system for encrypting data at rest and in motion; however, analysts quickly noted the product’s “many limitations,” including restrictions to encryption services and the complexity of implementation.[17] It also allows an authorized user to run queries returning the confidential data as unencrypted plain text view.
Solutions like SQL Server and encrypted drives appear, on the surface, to tackle the problem of protecting data at rest. The truth is that access to unencrypted data, even with SQL Server’s new ‘Always Encrypted’ feature is simply a matter of obtaining authorized credentials—a cornerstone of any hacker’s approach to getting private information. With the right login information, the data is unencrypted and available to anyone using the authorized credentials, including a hacker or Roque employee.
Recommendations & Solutions
The first step to protecting your business is identifying the tools, policies, and procedures your organization needs to comprehensively protect your data. With the increased complexity of hacking, the healthcare industry continues to be a prime target for security breaches.
In almost all solutions offered to the healthcare community, data breach protection for the database that stores confidential patient information comes down to protecting the user credentials of authorized users who can view the confidential data as unencrypted data. Hackers have proven to be very resourceful and very successful at stealing these credentials time and time again despite best efforts.
There is one innovative practice management software company with a practice management software that has closed that door to hackers and has made its database virtually breach proof. They do this by encrypting all data from the time it is entered, during transport and it is stored in the database as encrypted. No one, regardless of credentials has the ability to view the data in the database as unencrypted. That practice management software is ProSourceMD and is a state of the art software used by medical groups and billing services for Anesthesia and General Medical Billing.
Solution: ProSourceMD
ProSourceMD, a product of Navaro Medical Solutions, may be the only practice management software available on the market that stores all confidential data during transport and in the database while at rest where no one can view the confidential data in the database in its unencrypted state. Since encrypted data is not considered confidential data, it makes ProSourceMD database breach-proof.
ProSourceMD was designed from the ground up with state of the art technology to exceed the privacy and security features recommended by HIPAA, going well beyond the minimum requirements in many areas. When data is encrypted with ProSourceMD software, it remains encrypted—even when retrieved by the program. The decryption only occurs in the application when it needs to be displayed to a validated and authorized user. In most cases, only a single individual’s information is being viewed unencrypted at any given point in time.
No single person or program can ever view or export data as unencrypted. This differentiator is critical. Unlike most available software programs, which leave data vulnerable to anyone with an authorized login, ProSourceMD ensures that no user can access original, unencrypted data in its database. ProSourceMD stores encryption keys offsite, fully separate from the software and database. In addition, ProSourceMD uses AES256 encryption and goes an extra step to fully obfuscates the encryption and decryption process, thus making it impossible to decrypt the data, even if a hacker were able to steal the database and encryption keys.
Using ProSourceMD for your billing or using a billing service that uses ProSourceMD gives medical groups a level of protection they cannot get through any other software, or through any amount of insurance or through any amount of network safeguards. If you can prevent a data breach that could cost you millions of dollars and ruin your practice’s reputation, why wouldn’t you?
Third-Party Verification: John Parmigiani
Navaro Medical Solutions contacted expert John Parmigiani, an independent information systems technology consultant, to perform a HIPAA Security Rule compliance assessment of ProSourceMD. In his 35-year career as a former federal executive in health information management, Parmigiani served as the federal government chairperson for the interdisciplinary team that developed the HIPAA Security Rule and is well respected as an expert in the field.
Upon completion of the assessment, Parmigiani wrote:
A distinguishing security feature of ProSourceMD is its encryption of sensitive data at all steps in the process, assuring protection from both internal and external unauthorized access and exposure while mitigating and minimizing client risks. ProSourceMD encrypts data from its inception, when being captured, immediately encrypts it in storage, and provides the capability of sending it securely to any carrier that is equipped to accept electronic transmissions. This process greatly minimizes any potential data loss or corruption threats that result from needing to transmit from provider (the medical practice) to the insurance carrier. Of special importance is the fact that NMS in its ProSourceMD System stores the data in encrypted format, making it virtually impossible for unauthorized access. It is this attribute which makes ProSourceMD consistent with even the most stringent state data protection requirements. It is safe to say that
ProSourceMD stands alone as an E-Health ready practice management system.
Conclusion
The healthcare industry is in a new era of data security. With breaches on the rise and hackers developing more complex and debilitating ploys, ensuring data protection is no longer a luxury for big-budget providers alone. There are regulations in place and rules to follow. Businesses are required to assess their vendors and partners, including those offshore, to ensure that they are doing everything they reasonably can to prevent confidential data from being compromised. When it comes to the question of whether to use software or require that your third party vendor use software that makes your business breach-proof, the answer is simple: can you afford not to?
Organizations across the field must pay attention to what history is telling us: your business is going to be implicated in a breach. With more than 93% of businesses falling into the ‘victim’ category, the only way forward is to find fail-safe solutions that protect your data, your business, and your company’s future.
About Navaro Medical Solutions
Navaro Medical Solutions has been specializing in building and supporting anesthesia groups and multi-specialty billing services for more than 25 years. ProSourceMD was designed and built around the HIPAA regulations using state-of-the-art technology and employing industry-leading security features that make its database breach proof. Their website is www.prosourcemd.com and they can be reached at 859-586-0300.
[1] http://assets.theitjobboard.com/ITMEDIA/default/Taylor/Raytheon/DataClarityInvestigativeAnalyticsWP_FINAL.pdf
[2] https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html
[3] http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf
[4] http://www.modernhealthcare.com/article/20170121/MAGAZINE/301219987
[5] https://www.popsci.com/why-do-hackers-want-your-health-data
[6] https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
[7] https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
[8] https://healthitsecurity.com/news/healthcare-data-breach-risk-higher-in-larger-facilities
[9] http://www.healthcareitnews.com/news/healthcares-worst-security-weakness
[10] https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiVkbK97vjWAhXk44MKHRKeA6UQFggwMAA&url=https%3A%2F%2Fwww.cio.com%2Farticle%2F3078572%2Fsecurity%2Fhuman-error-biggest-risk-to-health-it.html&usg=AOvVaw34zp49JrIuTMuJswKie0x7
[11] https://www.healthlawyers.org/find-a-resource/HealthLawHub/Documents/Cybersecurity/Journal_2014_Offshoring%20Health%20Information.pdf
[12] https://www.cio.com/article/2880771/data-breach/what-the-anthem-data-breach-says-about-the-vulnerability-of-healthcare-it.html
[13] http://assets.theitjobboard.com/ITMEDIA/default/Taylor/Raytheon/DataClarityInvestigativeAnalyticsWP_FINAL.pdf
[14] http://www.healthcareitnews.com/news/cost-data-breaches-climbs-4-million-healthcare-events-most-expensive-ponemon-finds
[15] https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
[16] https://www.centrify.com/about-us/news/press-releases/2017/ponemon-data-breach-brand-impact/
[17] https://www.red-gate.com/simple-talk/sql/database-administration/sql-server-encryption-always-encrypted/