Conditional Approval

The TrakCel Life Sciences Blog

Stemming the Tide of Cybercrime: Protect your Patients' PHI

November 2, 2016

Human beings are not designed to handle large numbers. If someone owes you $100, but they only pay you $1, you would rightly be upset. However when considering two people who are worth $1billion and $2billion dollars respectively, most people would consider them to be of similar wealth, when in fact one is vastly wealthier than the other.

 

 

Maybe this is why the PHI data breach statistics that the HHS make public on their website don't make big news. 

 

 

They should. Last year (2015) 111,818,172 patients and healthcare individuals had their data exposed by the hacking of US companies working in the Healthcare industry. 

 

 

This year alone, in the four months from January to April, the PHI data of 2,352,180 patients has already been hacked.

 

 

The numbers are staggering.

 

 

In practical terms, data breaches from US companies impact more people annually than the population of Germany.

 

 

But it gets worse. Not content with stealing data, attackers are now turning their attention to the booming business of Ransomware, where the PHI data is encrypted by the attacker, who then demands payment in return for the key to unencrypt the data. Some attacks make the news, but most don't.

 

 

And it's not that the attackers are getting smarter. The 2016 Verizon Report published last week reiterated that the same 10 vulnerabilities accounted for 85% of exploit attacks, with some vulnerabilities being older than the attackers who have been found to be exploiting them.

 

 

In an effort to encourage companies to find ways to close the floodgates themselves, last month the OCR initiated a new, stricter, set of HIPAA audit protocols and have been increasing the number of multimillion dollar fines levied as a result of data breaches. Time will tell if this makes a difference.

 

 

So how do you ensure that the PHI you're holding remains private? 

 

 

There are two simple things you can do right now:

 

 

Ensure there is a Business Associate Agreement in place with any supplier or business partner that will potentially handle PHI. There is guidance on this from the HSS website, however it is also important to get your legal team involved before any agreement is signed.

 

 

Put in place an SOP for regular security risk assessments of your systems. There is a free tool provided by HSS, but you will always gain more from an assessment performed by a qualified security expert. Ensure that the results are reviewed by your Senior Management Team. Put a plan in place to implement any critical recommendations and ensure someone owns that plan.

 

 

If enough organisations followed these two simple steps, maybe the breach numbers would reduce enough for us to get our heads around them.

 

Simon Stratton
Head of Quality & Security

Simon Stratton is a CREST accredited penetration tester who leads TrakCel's Security Test Department. Simon has 16 years of working at IBM, EADS and Fujitsu and is the excited adopter of a new wave of security practices where security knowledge is shared with every IT professional in the organisation, not just one individual or group.

Recent blogs