Data Breaches in Health Information Systems

By April 28, 2016Health

In this day and age, any information that is online is susceptible to attack. Medical information, unfortunately, is no exception, and according to the Verizon 2015 Protected Health Information (PHI) Data Breach Report, which analyzes 80,000 of such incidents (including data breaches), stolen medical information affects 18 out of 20 industries examined (1, 2). Due to this threat, many people are actually withholding their medical information from their healthcare providers, which has a negative ripple effect—healthcare companies and providers need this information in order to perform most effectively.

Data breaches also occur in several other areas of industry. However, PHI breaches have several distinguishing characteristics, particularly in who is conducting the breach, how the breach occurs, and the consequences of the data breaches. For example, the number of internal and external actors in breaches is fairly similar, meaning that much of this data is stolen by people who have insider access (2). The data that is stolen tends to be vulnerable and valuable personal information that can easily be used to facilitate financial crimes and tax fraud (2).

86% of all breaches of PHI data fall into three categories: lost portable devices (that, in this day and age, often contain private health information via mobile applications and or access to communications via email), errors in sending medical reports to the wrong recipient, and misuse from an employee that has access to the information (insider abuse). However, there are several new opportunities and techniques that can be used to phish data away from the physical machine that holds the database. According to the Verizon PHI Data Breach Report, around 23% of recipients who receive any kind of phishing messages will open the messages and the attachments—and each of these attachments will have malware and malicious codes that can get through and compromise systems (3). These consequences often have long-term effects: after this data is stolen, because the effects are often not evident, it can take up to years for users to discover that there has been a breach (2).

The US Department of Health and Human Services (HSS), in light of the number of increasing PHI breaches, has required that HIPAA (Health Insurance Portability and Accountability Act) covered entities give both speedy individual and media notices of the occurrence of the breach, and what kinds of information might have been exposed (3). In addition to these notifications, the Secretary of the HHS must be notified based on the magnitude of the breach (4).

These breaches are no exception to anesthesia providers, who often also carry PHI for the multitude of surgical procedures that must occur under anesthesia. To prevent against these breaches, there can be simple measures taken to protect user’s personal data. According to the Healthcare IT News, five steps to boosting against vulnerabilities include conducting an annual HIPAA security risk analysis, encrypting data-at-rest, conducting more frequent vulnerability assessments and penetration testing, investing in the security awareness of your employees, and engaging with your business associates (5). The protection of user’s personal data is important to the entire healthcare industry as it builds trust between the public and various types of healthcare providers—businesses should take care to ensure that their PHI databases are secure by taking steps forward for security in an ever-changing information technology-based world.