September Healthcare Breaches Affected 1,928,433 Individuals
September healthcare breaches reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) affected 1,928,433 individuals. The majority of the 33 reported September healthcare breaches were the result of Hacking/IT Incidents, affecting 1,889,849 patients. Unauthorized Access/Disclosures affected 18,814, while Theft/Loss affected 19,770 patients.
Wood Ranch Medical: network server hack affecting 5,835
Magellan Healthcare: email hack affecting 55,637
National Imaging Associates: email hack affecting 589
Paragon Health, P.C.: email hack affecting 4,674
Bates Technical College: network server hack affecting 2,112
Sweetser: email hack affecting 22,000
Kilgore Vision Center: network server hack affecting 40,000
Berry Family Services: network server hack affecting 1,751
Premier Family Medical: network server hack affecting 320,000
Shore Speciality Consultants Pulmonology Group: desktop computer and network server hack affecting 9,700
East Central Indiana School Trust: email hack affecting 3,259
Goshen Health: email hack affecting 9,160
Cancer Treatment Centers of America (CTCA) at Southeastern Regional Medical Center: email hack affecting 3,290
Kaiser Permanente: email hack affecting 990
Sarrell Dental: network server hack affecting 391,472
Pima County: email hack affecting 1,498
CHI Health Orthopedics Clinic – Lakeside: network server hack affecting 48,000
Choctaw Nation Health Service Authority: email hack affecting 500
Beatitudes Campus: email hack affecting 514
Women’s Care Florida, LLC: network server hack affecting 528,188
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico: network server hack affecting 439,753
Chirobody: unauthorized access of a desktop computer affecting 525
Premier Gastroenterology Specialists: unauthorized access or disclosure of paper/films affecting 1,260
Rocky Mountain Health Maintenance Organization, Inc.: unauthorized access or disclosure of paper/films affecting 1,835
June E. Nylen Cancer Center: unauthorized access to email affecting 927
Alive Hospice: unauthorized access or disclosure of paper/films affecting 533
Health Care Services Corporation: unauthorized access or disclosure of paper/films affecting 998
Rural Health Access Corporation dba Coalfield Health Center: unauthorized access to email affecting 874
Little Rock Plastic Surgery, P.A.: unauthorized access to email account affecting 6,300
Medico of South Carolina, Inc.: unauthorized access of network server affecting 6,489
Prisma – Midlands: theft of paper/films affecting 2,770
Simmons Family Chiropractic: theft of laptop or other portable electronic device affecting 2,000
Perfect Teeth Yale, P.C.: loss of portable electronic device affecting 15,000
How to Protect Against Healthcare Breaches
Healthcare breaches can be costly and damaging to an organization’s reputation, as such it should be a top priority for any organization working in healthcare to secure patients’ sensitive information. Protected health information (PHI), when accessed by those with malintent, can be used to steal a person’s identity or commit financial fraud, making PHI extremely valuable.
The HHS recommends that organizations working with PHI implement the following ten cybersecurity practices:
Email protection systems: refers to securing email communications; although not specifically mandated by HIPAA, emails should be encrypted to ensure secure communications. In addition, utilizing secure passwords and Multi-factor Authentication (MFA) will further secure communications.
Endpoint protection systems: refers to the process of protecting a business network by securing the various endpoints connected to the network. An endpoint is a device that connects to an organization’s internal network such as a laptop, smartphone, tablet, or a server in a data center.
Access management: controls which individuals can view certain information, delegating different levels of access based on an employee’s job role. HIPAA requires entities to access only the “minimum necessary” PHI to perform a job function. For example, someone working in the billing department doesn’t need access to patient medical records, just as nurses don’t need access to patient’s financial information.
Data protection and loss prevention (DLP): ensures that only authorized users have access to sensitive data, and that data is not lost or misused. DLP software categorizes data to identify confidential information or information critical to business operations. Data loss prevention software is also able to detect security violations and provide remediation alerts.
Asset management: refers to tracking and maintaining any device that stores or accesses electronic protected health information (ePHI). Organizations must compile a list of assets including who uses the device and what protections are in place to secure ePHI.
Network management: refers to the process of securing an organization’s internal network. Network security includes access controls, audit controls, encryption, and data backup. Each employee should have unique login credentials to access their organization’s network, this enables audit controls. Audit controls keep a log of normal activity for each individual, enabling the quick detection of insider breaches. Encryption protects data if a network is accessed by an unauthorized individual, while data backup ensures that files are recovered if they are lost or stolen.
Vulnerability management: refers to the process of managing network security by identifying possible risks in an organization’s network, and addressing those risks with remediation efforts. Network scanning, firewall logging, and penetration testing are means in which vulnerabilities can be identified. To address vulnerabilities, in many cases, software patches can be implemented, however, when patches are unavailable network access should be restricted for vulnerable devices.
Incident response: organizations should develop an incident response plan to quickly identify and respond to breaches. The incident response plan should identify what to do when a breach is suspected, who to report breaches to, how to respond quickly, how to contain the breach, and how to recover from the breach. A tested incident response plan drastically reduces the costs associated with a breach.
Medical device security: refers to the security measures in place for medical devices that connect to a network. Devices such as pacemakers, drug infusion pumps, and heart rate monitors, connect to a network, making them vulnerable to cyberattacks. Medical device security is up to the device manufacturer, however, access controls should be implemented to ensure that user activity can be easily tracked.
Cybersecurity policies: are written policies surrounding an organization’s security controls and activities. Cybersecurity policies should be drafted with HIPAA requirements in mind. Organizations must ensure that technical, physical, and administrative safeguards are incorporated into their cybersecurity policies.