Security of Protected Health Information

From Clinfowiki
Revision as of 00:40, 27 April 2022 by Ntk (Talk | contribs)

Jump to: navigation, search

Introduction

Medical identity theft is one of the fastest growing crimes in the U.S., costing an estimated $30 billion a year and growing [1]. For the healthcare industry in 2020, ransomware attacks were responsible for $20 billion lost in impacted revenue, lawsuits and ransom paid, impacting over 600 hospitals, clinics and other healthcare organizations. [2] More than 1 in 3 health care organization globally reported being hit by ransomware in 2020 [3]


Motivations for cyberattacks

ePHI is extremely valuable: The price of complete record of a single patient can be sold for 100s of dollars on the dark web [4]

Additional motivations can range from local political, foreign state-sponsored and terrorist: attackers may seek to disrupt critical human services as a form of political retaliation [5]

Cyberattack methods

Threat actors can intercept unencrypted or poorly encrypted data on improperly disposed of electronic media (hard drives, floppy disks, optical media) that contain ePHI. Actors can also plant malicious code onto network machines through email or web downloads[6]

Insider threats can be particularly damaging – employees with administrative access can physically destroy hardware, plant malicious code, intentionally corrupt data, crash systems quickly and surreptitiously [7]

Third party vendors, contractors, temporary employees often have access to valuable data, and they can be exploited or extorted by external parties to leak data. Even housekeepers and maintenance workers may be able to access computer stations left unlocked.[1]

Social media can be used to conduct social engineering attacks – attackers may use information from social media pages to impersonate or trick healthcare providers into performing actions beneficial to the hacker.[5]

The COVID pandemic has also heightened vulnerabilities as telemedicine and remote work added more ways into systems, such as through unsecured virtual private networks and compromised home work stations. It has also resulted in the furloughing of network security staff who can prevent and handle threats [8]

Data breach consequences

Information breaches can incur both response and logistic expenses as well as loss of productivity and revenue. Secondary losses can include the effect on healthcare provider's reputation. Hospitals may have to pay large legal defense fines as well as judgments from legal or regulatory actions from the government. [9]

Cyber attacks can also affect patients: Intermingled records for still in medical identity can lead to dangerous medical outcomes by introducing medical inner inaccuracies.[1]


Prevention

HIPPA Security Rule Standards:

  1. Information Access Management (administrative safeguard)
  2. Access control (technical safeguard)

HIPAA regulated entities must implement required implementation specifications, or else document why and implement equivalent alternative measures if reasonable and appropriate. [10]

Frequent password changes may help in the case of security leaks, yet make it more likely that they will need to call IT for password resets or write down their passwords on paper notes. Static challenge questions no longer provide necessary safeguards and should be switched to multi-factor authentication [1]

A policy that allows providers to “bring your own device” can increase productivity and decrease costs yet create more work due to lack of uniformity [5].

Physical safeguards should also be considered: locked doors, property controls (tags, engraving on equipment), personal controls (ID badges, visitor badges), private security [11]

A recent report found that external threat actors perpetrated 61% of data breaches, insiders accounted for39%. [12] Hospitals should use carefully audited maintenance log to track equipment and facility repairs that affect physical security [1]. Human resources should screen new employees for potential liabilities, using criminal records, credit check, drug test, and a search for aliases [1]

Examples of Cyberattacks

  • July 2020 attack on Family Medical Center of Michigan. The system paid $30K in ransom to cybercriminals. [13]
  • The REvil hacker group performed a ransomware attack on the University Medical Center of Southern Nevada in which patient data was stolen.[14]⁠.
  • August 2021 attack on Memorial Health System [15].
  • September 2021 attack on Missouri Delta Medical Center. Stolen medical information was released online [16]

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 Phelan, J. (2012). Creating a Trusted Environment: Reducing the Threat of Medical Identity Theft. Healthcare Information and Management System Society, 29. Retrieved from https://risk.lexisnexis.com/cross-industry-fraud-files/docs/healthcare/Creating-Trusted-Environment-Reducing-Threat-Medical-Identify-Theft.pdf
  2. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
  3. Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
  4. Forensic Readiness. Journal of Medical Systems, 43(1). https://doi.org/10.1007/s10916-018-1123-2
  5. 5.0 5.1 5.2 Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-12r1
  6. Wilshusen, G. C., & Barkakati, N. (2012). Information security: better implementation of controls for mobile devices should be encouraged : report to congressional committees. Retrieved from http://purl.fdlp.gov/GPO/gpo33062
  7. Engineering Institute, S. (2008). Introduction to Information Security. Retrieved from www.isc.org/index.pl
  8. Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
  9. Hutton, A., & Jones, J. (2013). Risk Taxonomy (O-RT), Version 2.0.
  10. https://www.hhs.gov/sites/default/files/controlling-access-ephi-newsletter.pdf
  11. CMS. (2007). Security Physical Safeguards. Retrieved from www.cms.hhs.gov/SecurityStandard/
  12. https://enterprise.verizon.com/resources/reports/dbir/
  13. https://www.monroenews.com/story/news/2021/09/20/hackers-target-local-health-care-company/8403463002/
  14. McKeon, J. (2021, July 1). Hospital Ransomware Attack in Las Vegas Exposes PII. Health IT Security.
  15. https://healthitsecurity.com/news/memorial-health-faces-lawsuit-after-hive-ransomware-cyberattack
  16. https://healthitsecurity.com/news/hive-ransomware-continues-to-attack-healthcare-providers


Submitted by Nikhil Kurapati

Retrieved from "https://www.clinfowiki.org/wiki/index.php?title=Security_of_Protected_Health_Information&oldid=33245"