A quick survey of 3 recent breaches - including one very high profile case - reminds us to be especially vigilant to avoid these all-too-common scenarios with protected health information
Breach #1: PHI on paper – even in your personal briefcase – isn’t good protection, and can lead to a breach of PHI
The following breach serves as a case-in-point: On July 2, 2020, a doctor from Lee Moffitt Cancer Center and Research Institute in Tampa left a briefcase in his car – never a safe place for paper files with PHI to reside – and the briefcase was stolen.
HIPAA Violation: Between the paper files containing PHI and two unencrypted USB storage devices, 4,056 patients had their private health information exposed. The PHI included patient names, dates of birth, and the kinds of services they received at Moffitt.
In a perfect world, of course, physicians would be able to carry patient files (on paper) in their personal briefcase. Of course there was a time when they all would, for paper files were the norm. Yet while most health institutions have now transitioned to electronic records for faster access, search capabilities, and essential security protections like data encryption (because it’s not a perfect world), paper still gets used – albeit at great risk.
From a security standpoint, this proves once again that automobile windows, door locks, and alarms are simply no match for firewalls, vulnerability scanning, and encrypted devices. Glass and metal won’t keep a determined thief at bay; and if he does access the paper records, they can easily be read. This is exactly why HIPAA specifies the implementation of “a mechanism to encrypt PHI whenever appropriate.” (See this and the additional technical safeguards of the Security Rule here).
Breach #2: Employee Snooping/Theft is a Big Problem
Curiosity is natural, but breaking the law to satiate that “need to know” is something else. Add in a high-profile case that shook the world and it only increases the temptation. Hennepin County Medical Center in Minneapolis discovered this when several employees violated HIPAA and snooped into George Floyd’s medical records. (Yes, that George Floyd).
HIPAA Violation: While publicity will no doubt help send a reminder, basic training about HIPAA rules – which all employees are required to have – should have sufficed to warn that snooping into records of which you have no business is a clear and obvious violation. Hennepin County Med. Center now faces a possible lawsuit.
Bringing attention to employee snooping through regular training is essential; working to instill a culture of privacy is also key. The use of access logs and monitoring will also help.
In another case of misuse of data by an employee, Anna Zur of Franklin Park, IL stole the identities of nursing home residents in order to pay $25,000 of her own bills. Zur accessed the resident’s accounts through her job in the facility’s corporate office, and she’s believed to have stolen at least 35 identities to perpetrate the fraud.
Breach #3: Ransomware is Still Wreaking Havoc
Unfortunately, the recent plethora of Ransomware attacks – including this year’s major attack on Blackbaud – reminds us how devastating these attacks can be. A cloud computing provider that serves nonprofits, foundations, healthcare, and religious organizations, Blackbaud was attacked in January, impacting at least 19 different hospitals that relied on Blackbaud’s services. Precisely how this attack occurred isn’t known, but we have a pretty good idea: a recent survey of Managed Service Providers (MSPs) revealed that 67% identify email phishing as the primary cause of Ransomware infections.
HIPAA Violation: Nearly 3 million records from hospitals and health organizations have been compromised by this attack – the largest of 2020 so far. Blackbaud agreed to pay an undisclosed ransom (which some have criticized as “funding cybercriminals”) in order to decrypt files that were encrypted in the attack, as well as to have stolen files permanently deleted.
Again, while the exact cause of the breach is being investigated, the high incidence of ransomware-from-phishing attacks should spur us to action. Employee cybersecurity awareness training should be considered essential, to help your staff adopt a greater security mindset as well as recognize and combat phishing scams.
While data breaches are showing no signs of slowing, the good news is that data breach-prevention solutions exist that can help mitigate the causes of each of these attacks on your data. HIPAA Vault’s managed security expertise has enabled healthcare providers, business organizations, and government agencies to secure their protected health information, 24/7/365. Whether encryption for medical records and email, training about phishing attacks for you and your employees, or multi-layered security to help protect against Ransomware, we have the solutions you need to remain secure and help your systems stay online at all times.
Give us a call and we’ll tailor a solution to fit your needs today! 760-290-3460, or chat us at: www.hipaavault.com.
HIPAA Vault is the leading provider of HIPAA compliant solutions, offering a full array of secure solutions, including secure hosting, email, file sharing and faxing, compliant WordPress, and more.