Protegrity Blog

Healthcare Industry Faces Epidemic of PHI Attacks

data-security-digest-mike-blog-postHealthcare organizations are under siege from profit-minded hackers who are utilizing common exploits to extract the contents of sensitive databases and sell them for $US20 per record or more, writes David Braue in his CSO Online article, “Healthcare under siege as stolen data brings windfalls on darkweb markets.” Intel Security’s McAfee Labs searched online dark-web forums to discover thriving trade in healthcare and financial details obtained from compromised medical centers, insurance companies, and other healthcare providers in the US.

Healthcare organizations are increasingly being held accountable for their inadequate data security practices. This month St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights that its data security was inadequate, according to an article in Lexology, “Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines.”

This settlement arrives only a few months after OCR entered into settlements with Advocate Healthcare, Oregon Health & Science University, and the University of Mississippi Medical Center for $5.5 million, $2.7 million, and $2.75 million, respectively. These actions indicate that OCR enforcement efforts will continue to focus on investigating the systemic root causes of data breaches – including the failure of healthcare entities to perform accurate and thorough risk assessments.

OCR is also warning that businesses collecting and sharing consumer health information must comply with the FTC Act that prohibits businesses from engaging in deceptive or unfair practices, according to another article in Lexology, “OCR: Businesses Sharing Consumer Health Information Must Also Comply with FTC Act.”

As healthcare cybersecurity threats continue to evolve, covered entities must ensure that they are also adapting their approaches to data security, according to a recent position statement from the Healthcare Information Management Systems Society (HIMSS). In her article in HealthIT Security, “HIMSS Urges Holistic Security to Combat Cybersecurity Threats,” Elizabeth Snell outlines the recommendations offered by HIMSS: Implement a universal healthcare information privacy and security framework; create a cybersecurity leadership role at the Department of Health and Human Services; and resolve the shortage of qualified cybersecurity professionals are important actions the industry must take.

Here’s a roundup of other top data security stories making headlines or providing insights for the week ending Oct. 28, 2016:

“FCC Strengthens Broadband Privacy Rules for ISPs,” by Shirley Siluk in Top Tech News. New rules adopted this week by the FCC spell out opt-in and opt-out requirements for different types of customer data that ISPs can use or share with others, and also set out new requirements for transparency and security.

“Cybersecurity, business and IT relationships,” by Jon Oltsik in NetworkWorld. Working relationships between cybersecurity, business and IT groups are strained and fraught with challenges. If the cybersecurity team doesn’t communicate and collaborate well with other groups within an organization, it will be difficult—if not impossible—to stay current with what’s needed for security incident prevention, detection and response.

“Smarter Enemies Alter Cyber Battlefield,” by Tobias Naegele in Govtech Works. The cyber security landscape is shifting fundamentally as hackers deploy increasingly sophisticated tools – often the same tools cyber defenders employ to stop them.

“It’s time for a national standard to protect consumer information,” by U.S. Senator Patrick Leahy in The Hill. Too many corporations have inadequate measures to secure consumers’ information. American consumers deserve better than mere notification of the next breach.

“Symposium Notes – Day Four Returns to Data Security, and to Hadoop,” by Gartner analyst Merv Adrian. Data security is heating up, and organizations are not ready. Key principle: you can’t outsource responsibility.

“3 ways retailers plan to protect customer data,” by Bryan Pearson in Retail Customer Experience. Six in 10 of the retailers surveyed expect to put multi-channel tokenization into practice by the end of 2017.

“Getting data privacy and security right is ‘paramount’ to success of open banking, says regulator,” by the editors of Alasdair Smith, an inquiry chair at the UK’s Competition and Markets Authority (CMA), said without “the right safeguards” banking customers will not give their consent for their data to be “shared with anybody.”

“Most UK Local Authorities Don’t Fund Security Training,” by Phil Muncaster in InfoSecurity Magazine.  A shocking 86 percent of UK local authorities have allocated no funds to IT security training this fiscal year and many have no management plans in place to protect staff-issued mobile devices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Download our Latest Insights


Subscribe Now