With Hack Attacks Occurring at an Alarming Rate, How Are You Gearing Up to Combat Medical ID Theft?

The business of healthcare fraud is booming, fueling an outbreak of medical ID theft and a new wave of security risks for all healthcare organizations. In total, the FBI estimates $80 billion of the $2.2 trillion a year spent on healthcare in the United States is associated with fraud. And, according to the Medical ID Fraud Alliance, approximately half of all healthcare fraud is tied to medical ID theft.

There is no avoiding the current trend: healthcare-related hacking incidents in 2013 grew to 28 incidents affecting nearly 1.1 million records; up from 23 incidents affecting 879,179 records in 2012, based on research sponsored by the Identity Theft Resource Center.

In today’s environment, organizations must defend against “sophisticated cybercriminals who seek critical medical data to commit fraud or turn a profit,” reports HealthcareInfoSecurity. But how do you ensure your organization is protecting health data from this new rash of hack attacks?

Here are a few HIPAA-HITECH tips to help you evolve your efforts:

  1. Conduct a Thorough Risk Analysis – You need to understand what specific vulnerabilities exist in your business process and supporting IT environment.  Without conducting a comprehensive risk analysis you have no way to prioritize needed prevention or mitigation steps.
  2. Patch your systems – Be certain to patch any/all system infrastructure.  Don’t forget to patch servers, even if patching requires scheduled downtime.
  3. Install anti-malware – While fewer threats are caught by anti-malware systems, a well-managed (comprehensive, frequently updated) anti-malware program, implemented across ALL systems, can go a long way toward preventing infection that could lead to a data breach.  Just because your UNIX/LINUX/OSX systems haven’t been infected yet, doesn’t mean they are immune to malware or that they can’t be used to spread malware targeting other systems.  These operating systems should always be protected with anti-malware solutions.
  4. Encrypt your end-point devices –  Your ePHI is walking out the door every day.  A well-managed encryption system on anything that moves data is the key to keeping a data breach from being a reportable incident. This includes laptops, mobile devices and portable storage devices.
  5. Train your staff – Information security and ePHI handling should be baked into a continuous awareness program for all staff.  The program should be tailored for the types of data encountered by different users, management and executive staff, as well as specific threats targeting these groups.

Many healthcare organizations have failed to take these, and other necessary, actions to keep pace with new technological threats. Are you doing all you can to defend and detect external attacks on your ePHI?

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.