Protecting Healthcare Records These Days is Like a Game of “Whac-a-Mole”

Ipro Tech
Contact

Ipro Tech

Blog hero image

[author: Doug Austin, Editor of eDiscovery Today]

You’ve probably either played the game “Whac-a-Mole” yourself as a kid, or you watched your kid play it, at a Chuck E. Cheese or another similar arcade. It’s a simple game with five holes in which moles pop up and a soft rubber mallet to pop them on the head with – you get points for every time you pop one on the head. The game starts out slow at first, and it’s easy to keep up with the moles that pop up. But it gets faster and faster until several moles are popping up at once and it’s impossible to keep up with them all.

The job of protecting protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) is becoming more like a game of “Whac-a-Mole” where it’s been increasingly difficult to protect all the places where PHI can appear, expanding the risk of exposure of that data.

Impacts from a Recent Healthcare Cyber Attack

Here’s one example of one recent ransomware attack that impacted many healthcare organizations. On February 19, 2021, NEC Networks, dba CaptureRx, a company that provides IT services to hospitals to help manage their 340B drug discount programs, determined unauthorized individuals had accessed, acquired and encrypted files containing sensitive data earlier that month on February 6th. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack. That’s scary.

CaptureRx stated that it had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, the company stated that policies and procedures were reviewed and enhanced, and additional training has been provided to the workforce to reduce the risk of any further security breaches.

Here’s something potentially even scarier: at least 32 healthcare organizations (and probably more) were affected by the ransomware attack. This attack didn’t originate within the healthcare organizations themselves, it originated within their IT provider for one specific function: 340B drug discount programs. If just one healthcare provider had been more diligent with its outside IT providers in terms of vetting its policies and procedures, this issue possibly could have been avoided for all of them.

Of course, that didn’t stop multiple class action lawsuits from being filed. Just this week, CaptureRx proposed a $4.75 million settlement to resolve claims related to the breach. That’s a significant cost for one data breach, and it’s only the latest example of data breaches involving healthcare organizations.

The interactive map of US ransomware attacks since 2018 from Comparitech shows 283 known ransomware attacks during that time, with 193 of them coming in just the last two years (several of which involve hundreds of thousands to millions of patient health records compromised).

Shadow Information Within Healthcare Organizations

The above example illustrates a significant problem of protecting PHI and other personally identifiable information (PII) within healthcare organizations – shadow information.

Healthcare organizations already invest millions in Electronic Medical Record (EMR) solutions, including the security to protect those solutions. But the problem is other solutions and systems that integrate with the EMR solution that also store PHI and PII for patients as well, such as SharePoint, shared drives and other solutions, such as the one in the example above.

Many organizations don’t even realize the extent to which PHI and PII has proliferated within their organizations as shadow information in various other systems and solutions.

Conclusion

Ultimately, it doesn’t matter how secure your primary EMR solution if the hackers can get the same information from a less secure solution or system that the organization uses. This leaves companies playing the game “Whac-a-Mole” to protect that information everywhere else. Why do you think hackers call it a “back door”?

The first step to protecting valuable PHI and PII is knowing where it is! How valuable is it? At least $4.75 million dollars to one IT provider of healthcare services.

[View source.]

Written by:

Ipro Tech
Contact
more
less

Ipro Tech on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.