Stemming the Tide of Medical Information Data Breaches

Sarah B. Galeli
Associate Editor
Loyola University Chicago School of Law, J.D. 2020

Protected Health Information is seeing a surge of breaches on the cyber security front due to contractor error. It’s also impacting the most consumers in comparison to other data breaches and, in some cases, has the power to cause chaos in national infrastructure. Advances in technology and compliance measures can stem the tide and protect the most valuable information in consumers lives.

The Problem

Protected Health Information(“PHI”) “… can be used by criminals to obtain expensive medical services, devices and prescription medications, as well as to fraudulently acquire government benefits like Medicare or Medicaid.” Stolen PHI can also cause the intended patient medications to be mixed up or hinder patient treatment if their identity has been stolen and used by a third party, confusing medical diagnoses. This is as much a global issue as it is an issue for the United States. Advances in medical technology and improvements in healthcare cyber security move at a slower pace than those in other industries. In other countries, primarily ones with single payer systems, the healthcare industry is utilized like any other nationwide infrastructure, making it a vulnerable target for anyone looking to cause chaos. In fact, twenty-six percent of U.S. healthcare consumers have experienced medical identity theft.

The Cause

Even in today’s quickly advancing technological world, spending on cyber security is most commonly a reactive measure once a breach has been discovered rather than a proactive measure to prevent a future breach. Studies have shown that proactive data recovery planning has decreased the cost and frequency of medical information breaches by more than thirty percent. Budgeting for cyber security without a present threat can be difficult to accommodate in a tight budget. Many healthcare providers remain focused on endpoint and network security, even though these measures have been ineffective at stopping current and evolving threats.

Two-thirds of Medicaid PHI data breaches are the result of mistakes by state agencies and their contractors, rather than external hacks into medical provider systems. Many of these breaches are misdirected letters or faxes sent to the wrong contact information or provided in person to the wrong patient. The good news is that there are compliance measures for both cyber security and human error to stem the tide of PHI data breaches.

Compliance Measures

The most critical cyber security measures to mitigate the threat and damage of medical identity theft involve cyber security upgrades that allow for specific auditing and monitoring, as well as improved policies and procedures and training and education of medical provider workforce personnel.

Data Loss Protection (“DLP”) addresses security concerns in file sharing to protect patient information as cloud security systems are increasingly adopted in the healthcare industry. These cloud-based health systems assist in creating a more efficient, patient-centered experience, however they can also limit the risk of a potential data breach. The cloud-based systems allow access to limited information at one time, providing monitoring tools to show what data was accessed and by whom. They also keep PHI from being downloaded or saved on devices not part of the cloud system. These systems should be protected by a layer of incident protection monitoring to allow providers to detect an incident of breach so that they can mitigate the damage. Regular internal risk assessments of the IT systems, incident protocols, and security system features should be utilized to ensure DLP is being achieved.

With new technology and security advances come updated training for current workforce members and future clinicians and medical providers still in training. Healthcare and Public Health Sector Coordinating Council(“HSCC”) will be issuing a voluntary curriculum for medical schools to adopt regarding cyber security later this month in an answer to several health identity data breaches in recent years. Until those best practice measures are released, the best option for medical providers is to be proactive. Educating employees on being cyber aware, providing training according to their role and responsibilities in relation to protected health information, and hiring and retaining qualified staff is key in the prevention of mistakes leading to the improper disclosure of PHI. Medical providers should also consider creating new roles with an emphasis on cyber security like a Medical Security Officer.

PHI is the most personal and most at-risk data consumers produce. Recent events have shown that this data is continually hacked and frequently provided by mistake or miscommunication. Advancements in health data cyber security and improved training and education can be implemented by medical providers in an effort to proactively use compliance measures to the benefit of their organizations, decreasing the effect of medical identity theft.