In a troubling trend in healthcare data security, an increasing number of breaches are being targeted directly at third party EHR vendors. Once a cybercriminal figures out a way to compromise a specific software, the damage can spread precipitously through other medical practices which rely on that vendor’s product.
In its Mid-Year Horizon Report on The State of Cybersecurity in Healthcare, Fortified Health Security reported that there were over 337 EHR security breaches in the healthcare sector during the first six months of 2022. Over 19 million records were affected during this time, putting confidential patient information at risk. Most of these attacks focus on healthcare providers, and are due to malicious activities, as opposed to lapses in security.
OCR (Office for Civil Rights) tracks healthcare breaches, and reports that the location of breached information will usually occur on a network server, Electronic Medical Record, or email. According to an IBM report on the cost of a data breach in 2022, healthcare data breach costs hit double digits for the first time ever. Healthcare participants saw the costliest breaches for the 12th year in a row, with average costs reaching over $10 million. This article looks at the reasons behind an EMR data breach and discusses ways to secure private practice software from a data breach.
What Can Cause a Healthcare Data Breach in a Medical Office?
Types of breaches in OCR cases currently under investigation fall under the categories of hacking/IT incident, loss or theft, and unauthorized access/disclosure. Other causes might include human error or misuse of access privileges. This might be something as straight-forward as granting access to a technician to conduct a specific task, and then forgetting to rescind that approval once the task is complete.
Sometimes it is just as simple as the fact that the medical office does not place enough emphasis on security, keep current with its hardware and software security issues, or make a sufficient financial investment in cyber security. Most private medical practices also fail to conduct the necessary privacy and security training on a regular basis, to keep these issues at the top of everyone’s mind.
What is the Value of EHR Software After a Data Breach?
It is necessary for private practices to have strategies in place to alleviate the potential for a data breach, to save time and effort for the practice in dealing with the breach, and to ensure the well-being and confidence of patients. Although EHR software makes day-to-day office activities much easier, its value can decrease if patient data is not rigorously protected. Instead of dealing with the aftermath of a healthcare data breach, it is far more effective and cost-efficient to invest in high-quality EHR software and office security initiatives.
How Do Hackers Benefit from Stealing Medical Records?
Ransomware attacks are those which threaten to shut down an entity’s digital capabilities unless a monetary ransom is paid. While some medical entities believe paying the ransom might be the quickest way to a resolution, the IBM report suggests that this might not be an effective strategy, as it does not lower costs by a significant amount.
Most cybercriminals, however, are on the hunt for confidential data from medical records which they can turn to their advantage. Medical data lasts much longer than bank, credit card, and Social Security numbers, which can all be changed. That is why cyber thieves like to target this market. The case of the Shields Health Care Group breach impacts approximately 2 million individuals, and their sensitive data. But large groups are not the only ones at risk. Healthcare providers with just a few thousand records have also been compromised.
Patient Health Information (PHI) that can be potentially exposed to danger includes full name, date of birth, Social Security number, healthcare insurance provider information, diagnoses and treatment plans, billing information, medical record numbers, patient ID, and contact information. The attackers may sell the information outright. In 2019, full medical records could sell for as much as $1000 each. Thieves might use the information themselves to submit fraudulent insurance claims, purchase unauthorized medical equipment and supplies, commit identity theft, ruin the patient’s credit history, or perpetuate further scams on the individual.
Ways to Secure Your EHR Software from a Data Breach
Federal HIPAA Security Rules require healthcare providers to protect electronic health records using proper physical and electronic safeguards to ensure the safety of health information. Ways to secure your EHR software include:
- Appoint a designated security officer within your practice.
- Conduct an annual security risk assessment of the physical, technical, and administrative security of your office and EHR software to protect personal health information.
- Use audit trails which automatically track when the system is accessed, and by whom.
- Maintain strict control over all digital devices. Follow security protocols to initiate an immediate shutdown in case of loss or theft.
- Conduct frequent training to raise security awareness internally.
- Change passwords regularly. Require use of advanced password combinations.
- Utilize data encryption so that only authorized users have access.
- Rely on an EHR that includes lockout features, automatic logoffs, mandatory resets, two-factor authentication, and security questions.
- Have a data backup plan in place.
- Establish remediation protocols before an event occurs, so your office will not have to scramble to respond to an attack.
Protect Your Private Practice Against a Possible Data Breach
It is important to work closely with a healthcare technology company that provides HIPAA compliant EHR software. PrognoCIS EHR by Bizmatics serves the needs of Ambulatory Medical Practices of all sizes and specialties. Our cloud-based EHR streamlines workflows through a platform of stable and mature modules and features including Practice Management, Medical Billing, Revenue Cycle Management, Telemedicine, Patient Portal, and e-prescription, while paying close attention to data security and safety needs.