Healthcare providers’ risk of data breach
By Scott Chase and Catherine Parsley
Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks. Attacks and other security breaches can have far-reaching effects for providers and their patients.
Electronic Medical Records
Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured. The new EMR systems make sharing PHI easy. Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records. Many providers’ network systems have been pieced together over time, leaving vulnerabilities and inconsistencies. At the same time, online attackers are getting increasingly complex and sophisticated. Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.
These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA). If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs. One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures. It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.
It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs
- In response to environmental and operational changes, such as implementation of new technology or changed office operations
- Any security breach or security incident that indicates vulnerability.
Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation. In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.
Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs. For more information on the available services, contact board-certified health care attorney Scott Chase.
- Health Care and Cyber Security: Increasing Threats Require Increased Capabilities, KPMG LLP (2015)
- Cyber Attacks on Healthcare Organizations, KPMG Survey, KPMG LLP (Dec. 2015)
- Heather Landi, OCR Fines Children’s Medical Center of Dallas $3.2M Due to HIPAA Non-Compliance, Healthcare Informatics (Feb. 1, 2017)
About the Authors
Scott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization. Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).
Catherine Parsley is currently (March 2017) an intern at Farrow-Gillespie Heath Witter, LLP. Ms. Parsley is a law student at SMU Dedman School of Law in Dallas, Texas, where she is a staff editor of the SMU Law Review. Catherine served as a judicial extern for Chief Justice Nathan L. Hecht, of the Supreme Court of Texas. She holds a B.S. in communications studies, cum laude, from the University of Texas at Austin.