PHI Data - A Hacker's Treasure Trove

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. I begin at this statement because as professionals and adults, this date is relatively recent in our lifetime. Social Security Numbers (SSN) have been around since before World War II (1936), followed shortly after by the invention of credit cards in 1950. We almost instinctually know the importance of protecting our SSN and our credit card numbers, but how aware are we regarding the protection of our personal health information (PHI, also referred to as protected health information)?

The Massachusetts General Hospital recently experienced a breach of nearly 10,000 patients, which exposed names, demographic information, dates of birth, medical record numbers, and medical histories. With major breaches like this occurring often, organizations need to evaluate if they are doing all that they can to secure their clients’ personal information. As consumers, many of us assume that the doctors and medical practices we use are protecting our data with the highest level of security. At the same time, many other consumers believe that this personal health information is useless in the hands of hackers. Unfortunately, far too often both these statements are not true. According to HIPAA Journal, healthcare data breaches have been on the rise over the past decade, with 2018 seeing 365 breaches. This personal health information data is very valuable and will often sell on the dark web for more than a Social Security Number. That’s because of the treasure trove of personal information that a doctor’s office or hospital holds for each patient. This includes your name, birth date, policy number, diagnosis codes, billing information, and even social security numbers, in some cases. If a criminal can get their hands on all this information, they can then attempt to impersonate you to buy medicine and medical equipment, open false insurance claims, file fraudulent tax returns, etc. The healthcare industry has traditionally been viewed as a very attractive target for hackers due to the lack of cybersecurity knowledge and programs in many of these organizations. Breaches can occur as result of many incidents including, but not limited to, a doctor opening and clicking on a phishing email, plugging in an unfamiliar flash drive, having a hospital laptop get stolen from a vehicle, and so on. Any HIPAA violation can cost an organization $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation, not to mention the irreparable damage to the brand image of the organization.

As hackers are increasingly targeting healthcare organizations for the valuable personal health information they possess, healthcare organizations must adapt and begin treating personal health information with the same level of security and privacy that we’ve given to Social Security Numbers and credit cards over many decades. The first step in ensuring that you are properly protecting your patient’s data is conducting a HIPAA Risk Assessment. Through this assessment, a third-party organization will identify the flow of personal health information, controls currently in place, specific areas of risk, and develop remediation strategies to mitigate the threat of a data breach. Compass IT Compliance has partnered with many organizations over the past decade to conduct thorough and accurate HIPAA and HITECH Risk Assessments. If you’d like to learn more about how a HIPAA Risk Assessment can help mitigate your risk of a data breach, contact us today!