Some would define 2014 as the “year of the hacker.” From Target and eBay to iCloud and Sony, millions of Americans had their personal information leaked as a result of attacks by hackers. As many in the healthcare profession know, medical information is a prime target for hackers and 2014 saw a record number of attacks on medical facilities.
In August of 2014, the security firm Websense reported a 600 percent increase in attacks on hospitals over the previous 10 months. Community Health Systems (CHS), the largest non-urban provider of general hospital healthcare services in the United States, suffered the most significant of the 2014 hospital hacks. CHS, which is headquartered in Franklin, Tennessee and operates 206 hospitals in 29 states, experienced an information breach in August of 2014 that leaked the information of 4.5 million patients. In the end, the Privacy Rights Clearinghouse reported that nearly four million more medical records were stolen in 2014 than in any previous year.
Hackers are more commonly attacking medical facilities because medical records are more valuable on the black market, as they provide more personal information than credit cards. Surprisingly, data security has not been a top priority for many healthcare organizations when purchasing electronic health record (EHR) software systems. Medical facilities have placed the need for fast and easy access to medical information above the need for improved security. In addition, the introduction of new technologies to access medical information, including smartphones, tablets, and various medical devices, have created new vulnerabilities.
What can you do?
We invite you to review your EHR software system as you enter 2015. Healthcare facilities need to focus on doing business with software companies that make finding solutions to the hacking threat and the protection of personal health information top priorities. We also recommend that you double check to ensure you have Business Associate Agreements (BAA) signed with all vendors and that these agreements are compliant with HIPAA.
A BAA protects the information of patients in accordance with HIPAA guidelines. A BAA should explicitly detail how a vendor will report and respond to a data breach, including data breaches that are caused by a vendor’s subcontractors. In addition, a HIPAA-compliant BAA should require vendors to demonstrate how they will respond to an investigation by the Office for Civil Rights.
Should you have any questions or need any legal assistance, feel free to call us at (949) 222-2008.