
Doctors’ offices, emergency rooms, hospitals, urgent care centers, and all sorts of other medical institutions have a vast wealth of data on their hands. Patients not only supply their PII (like DOB, SSN, address, phone numbers, etc.), but also, naturally, disclose intensely private, personal health information to their care providers. And unlike, say, transaction records from a store, or personal information given to a gym, information contained in medical records often exists in perpetuity. (Ask any doctor, and they’ll probably bemoan the endless archives of charts and electronic medical records they’ve accumulated over the years, often from patients who they no longer see, or who have died.)
A lot of people don’t think twice about the depth and breadth of the personal information they’ve shared with medical entities. And if we ever do worry about it, we likely conclude that it’s unavoidable – a necessary evil. After all, how can we get good medical care unless we’re fully open and transparent with providers? And we can’t exactly request to have our information deleted after a certain amount of time – diseases sometimes resurface, and at the very least, a fully detailed medical history (likely dating back years or decades) is vital to treating new ailments.
What all this means is that medical institutions and practitioners have a serious burden placed on them to protect the troves of sensitive information they manage. That’s where HIPAA comes in.
HIPAA was passed in 1996 and is a federal law that created national standards to protect sensitive patient health information from being disclosed without the patient’s consent. It contains policies that must be followed in order to remain in compliance. A lot of these policies apply to “analog” forms of data security – shredding documents, never verbally disclosing patient information beyond the care team, and keeping physical medical records secure. But, these days, a lot of HIPAA is primarily centered around keeping EMR (Electronic Medical Records) fully safe. HIPAA now contains a vast compendium of rules that must be followed with regard to data security, incident response, and breach or leak reporting.
The threat is real: a staggering 83% of medical practitioners told the AMA in 2017 that they had suffered a cyberattack! Hackers are smart and know how incredibly valuable medical information is in terms of planning and executing malicious attacks.
All of the key cybersecurity threats that apply to other industries are present, and the stakes are obviously high. These threats include:
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
That’s right –hackers are able to compromise medical devices (such as life-support machines) in what may be the ultimate form of malevolent ransomware. Electronic, connected medical devices – of which there are many – are vulnerable and that’s literally a life-or-death situation. To be clear, an attack that has genuinely harmed patients has not happened yet. But in 2017, “Wannacry” ransomware hit more than 200,000 U.K. computers, including in 48 U.K. hospitals, and medical devices were affected. Specifically, several hospitals said their radiology equipment was shut down by the ransomware attack.
Additionally, researchers have developed and demonstrated the efficacy of malware that can alter CT and MRI scans. In the study, the researchers created malware that managed to add and remove tumors to CT scans. When radiologists in the study were shown the altered images, 99% of the time they could not tell the difference between a fake and a real scan. The researchers suggested that these kinds of hacks could be exploited to sow doubt about the health of government figures, sabotage research, commit insurance fraud or as part of a terrorist attack.
There are a lot of solid security steps that are now de rigueur in terms of HIPAA-based cybersecurity. Protective measures remain similar to what is seen across all industries:
- E-mail protection system
- Endpoint protection system
- Access management
- Data protection and loss prevention
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Strong employee-based cybersecurity
To maximize security, a strong threat awareness platform like HackNotice is vital. It’s the best way to reduce human error in cybersecurity and to get real-time data about leaks and breaches for one’s own domain, third parties, end users, and information about past breaches. HackNotice provides full-spectrum security, ranging from best-in-class employee-based threat awareness to active, in-depth dark web scraping. (For more information about how HackNotice can help private practices, hospitals, or any other medical entity, request a demo here: https://hacknotice.com/request-a-demo/)
There’s a lot to digest about HIPAA and medical cybersecurity, for both patients and providers. If you’re interested in learning more, here are some good links to official sources:
- https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
- https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- https://www.cdc.gov/phlp/publications/topic/hipaa.html
If you’re a concerned patient, make sure to talk to your provider about the steps they take to remain cybersecure. And if you’re a provider, be sure to use all the resources at hand (including continuing education courses and seminars) to stay at the cutting-edge of cybersecurity policies and best practices. That way, you’ll stay safe, your patients will be secure, and you can focus on what you do best — practicing medicine.
References:
1. Stanger, K., Shaxted, A. “Cybersecurity and HIPAA.” Idaho Medical Association; Holland & Hart. https://www.hollandhart.com/files/90491_cybersecurity-and-hipaa.pdf
2. Harris, Kelli. “Hacking Medical Devices: Managing and Bolstering MedTech Cybersecurity Defenses.” Hologram, August 19 2021. https://www.hologram.io/blog/medical-device-hacking/.
3. Alder, Steve. “Malware Alters CT Scans and Creates and Removes Tumors.” HIPAA Journal, April 5, 2019. https://www.hipaajournal.com/malware-alters-ct-scans-to-create-and-remove-tumors/.
4. BBC News. “Computer Virus Alters Cancer Scan Images,” April 4, 2019. https://www.bbc.com/news/technology-47812475.
