As the number of compromised ePHI data continues to rise, healthcare providers are not waiting around to try and identify risks. 31,611,235 healthcare records were breached in the first 6 months of 2019, which is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). – According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, cites HIPAA Journal.
The sheer volume and complexity of vulnerabilities to ePHI data are staggering and many providers are finding it challenging to identify these threats. As technology changes and organizations try to adapt, were seeing an unprecedented discovery of ways that hackers can exploit IT systems to gain access to ePHI. One recent article details flaws in Chrome and Firefox browser extensions that enabled access to the local area networks of several healthcare entities. Such simple everyday tools we use like web browsers are now becoming apart of a greater threat landscape that healthcare leaders can no longer afford to ignore.
There are challenges that many healthcare entities face that are almost paradoxical in nature and can create burdens for leaders to know which direction to take and a methodology to support the best outcome. Take for example this quote by Harun Rashid, CIO of Akron Children’s hospitals when discussing the nature of healthcare IT.
“On one hand, the government and other entities say you need to share information, but on the other hand, if you have a breach, you may be penalized severely. It’s a double-edged sword as you want to enable interoperability and health information exchange, but on the other hand, you have a responsibility to make sure that it is highly secure. It’s a challenging time when it comes to security and sharing, and we just have to find that happy medium.”
The above quote is just one example of the importance for providers to have visibility and insight as it relates to healthcare IT security & compliance in order to make informed decisions.
The struggle for many providers to find enough resources to carry out the necessary ongoing security and compliance tasks like deploying tools, gathering information, reporting of key findings, and creating a roadmap to improve security and compliance posture which may seem out of reach for many.
Healthcare entities may also try to come up with their own workarounds to solve problems with their IT systems only to find out that they have potentially comprised their data.
It was discovered by a recent audit conducted by the Office of Inspector General (OIG) that a Windows 7 upgrade at the Tibor Rubin VA Medical Center in Long Beach, California, led to the transfer of sensitive information using unsecured means for four years.
A Windows 7 upgrade in 2013 resulted in incompatibility between the medical center’s EHR software and a medical device managed by the facility’s gastroenterology laboratory. A workaround was employed that included sharing data from the medical device to a personal computer operated by the lab. It was also found that sensitive data of 133 patients was potentially exposed when it was shared from the lab to VA staff through unsecured emails, text messages, unencrypted flash drives, and the cloud.
Mandry Technology has spent well over 2 decades to understand the healthcare data environment and demonstrate expertise around HIPAA compliance. We created a new model of compliance and security as a service to help healthcare organizations understand risks to their ePHI data and provide pathways to organize and structure an appropriate response to those risks. This subscription-based model removes business disruptions by scheduling and deploying security & compliance activities throughout the entire calendar year and gives entities the ability to predict expenditures around compliance and cyber security.