Healthcare depends on patient trust -- trust in the physician, in the system, in the privacy they provide. Security breaches of the IT systems that hold patient data can undermine that trust. Will patients who do not trust the integrity of health IT spill over to providers, leading some to go to other providers? Will those who remain hesitate or refuse to disclose details that physicians and nurses need to manage their healthcare?
Early this year, hackers successfully cyberattacked Emory Healthcare, exposing data about at least 79,000 patients. Theirs were among more than 325,000 patient records hacked in just the first two months of this year, according to the U.S. Department of Health and Human Services Office for Civil Rights.
Stopping cyberattacks is critically important not only for the continuation of provider-patient relationships but to prevent loss of revenue and federal penalties. Since the Health Insurance Portability and Accountability Act of 1996 was enacted, the federal government (as of February 28, 2017) has investigated and resolved 24,879 cases that allegedly violated HIPAA rules. Of these, 47 cases have been settled for a total of $67,210,982.
Cyberattackers were responsible for 31% of the major HIPAA data breaches reported in 2016, according to TrapX Security. Last year 93 major cyberattacks were successfully launched against healthcare organizations, according to TrapX. Among the most substantial were Banner Health (3.6 million records), 21st Century Oncology (2.2 million), and Valley Anesthesiology Consultants (880,000).
A leading type involves ransomware -- malware that typically encrypts data, which the attacker promises to decrypt if a ransom is paid. The Emory assault was a variation. Cybercriminals removed the appointments database and demanded ransom to restore it. (Emory did not publicly disclose in news articles about the breach whether it paid the ransom.)
Other types of attacks may pilfer patient data for sale on the black market. Patient records include loads of valuable information including social security numbers and insurance information.
Keeping these data secure means understanding your IT systems -- how they function and what their patterns of operation look like. When patterns change, trouble may be afoot.