Protect Your PHI
Cybersecurity Awareness – By Ron Frechette, The Cyber Guy
There have been a record number of data breaches by cyber criminals targeting small-midsize healthcare practices in 2017 and we are seeing the trend continue to grow. Why are cyber criminals so interested in our personal healthcare information and how can we reduce the risk having it stolen?
Every man, woman, and child who has been seen by a healthcare provider in America on the very first visit knows the drill. We are required to provide full name, address, phone number, date of birth, SSN, insurance policy details, prescription drugs we take, list of all specific medical conditions we have or had in the past, payment information for copays, and much more.
Once they have collected all that information and we are seen by the healthcare provider, we will most likely be asked to visit a lab or specialist for further examination, bloodwork, urine, MRI, x-rays, you name it, depending on the medical issue. Those visits prompt additional questions and all the information and results from those tests are added to our medical records.
How many trips have we made to the doctor’s office over the years and how much would someone know about us if they had all that personal and highly confidential information? Can you see why this type of detailed information about a single person being collected over time would be considered “gold” to cyber criminals? The federal government refers to this type of data as protected health information, or PHI.
Things we should know about PHI:
Why PHI is Valuable to Cyber Criminals:
- Average stolen PHI sells for $10.00 to $50.00 per record on the Dark Web
- Child Patient records sell for $500 to $1,200 per record on the Dark Web depending on detail
- Longer Shelf Life – often unable to detect PHI theft until several claims are processed
Most Common Scams:
- Illegal and Bogus Treatment – bill health plans for fake or inflated treatment claims
- Buy Addictive Drugs – Obtain prescription drugs to resell or feed own addictions
- Obtaining Free Treatment – Uninsured that require hi-cost healthcare treatments
- Resell to other cybercriminal groups – various purposes (i.e. identity theft, fraud)
Consequences to Victims:
- Ruined Credit – unable to pay large hospital bills
- Loss of Health Coverage – fraudulent claims max out health policy limits
- Inaccurate Records – False claims can follow a person through life
- Higher Health Premiums – false claims can raise premiums
Consequences to Healthcare Providers:
- Criminal and Civil Lawsuits
- Fines & Penalties for non-compliance
- Government Mandated Corrective Action Plans
- Defamation, Brand Damage, Loss of Human Capital
As custodians of our protected healthcare information (PHI), we trust healthcare providers will uphold their professional and moral obligations to protect our medical records from getting into the wrong hands. The challenge many physician offices face in today’s Digital Age is how fast the world has transitioned to electronic record systems. We see it not only in healthcare, but in every industry, and it has totally transformed the way in which we conduct business. As a result, healthcare records are stored on one or more Electronic Health Records (EHR) systems in cyber space and cyber criminals are easily gaining access into the systems due to having poor security controls in place. Questions you should ask your healthcare provider:
- How are you protecting my medical records?
- Is your EHR System HIPAA Compliant?
- Do you have formal cybersecurity policies and procedures in place?
- Do you perform annual third-party HIPAA security risk assessments? (required by federal law under the HIPAA Security Rule)
- Do you have a disaster recovery and back-up plan in place in case of a data breach?
In closing, we expect that, as more breaches are reported in the media, awareness will increase and the security posture for small-midsize healthcare practices will follow. Until that time, we highly recommend you take matters into your own hands to protect your PHI and keep yourself safe in cyber.by