Posts Tagged with PHI

posted by adgrooms on May 30, 2019

We have recently looked at the risk of phishing scams in healthcare and how to avoid them. We have seen that the number of patient data breaches has reached one per day in 2018. But why do hackers continue the relentless attacks on healthcare institutions? What are the hackers after? What reward do they receive?

Patient records are incredibly valuable as far as stolen data goes. A patient data record carries a potential wealth of information. A single patient record could contain a driver's license number, credit card numbers, insurance information, and all of the individual's collected medical data.

Once a hacker obtains the data they can sell it in blocks to other criminals. The information can be purchased and used many times over. For example, a criminal can augment the information into false credentials to sell, or the information can be divided up and sold as individual drivers licenses, social security numbers, and insurance cards. And at any point in the sales, the information can be used for other criminal activities.

From the personal identification information (social security number, drivers license, date of birth), the medical record can be used for Identity theft. From insurance card numbers and personal health information, it can be used for health insurance fraud, filing and receiving payment for false claims. The personal health information can also be used to purchase medical equipment, drugs, and even medical procedures.

While a stolen credit card carries an immediate payoff, mechanisms are in place to quickly discover abuse and shut it down. There is no protection mechanism for health data comparable to the protections on credit cards, and there is no limit on the number of times it can be sold and used. The damage to victims of healthcare identity theft can be far-reaching and last for years.

The high value of medical data and the large number of records amassed in health systems will perpetuate the threat of hacking for medical institutions into the foreseeable future. The threats will continue, but the precautions are relatively simple. The key to security is to make access so difficult as to be not worthwhile. We can go a long way toward accomplishing this by remaining informed and vigilant against phishing and keeping passwords secure.

posted by adgrooms on May 28, 2019

Stealing and exposing patient data is, unfortunately, a lucrative activity. Hackers are relentlessly looking for vulnerabilities in institutions that amass personal health data. In 2018 there were 365 data breaches involving patient data, that is one per day! In addition to the personal costs to the individuals who are compromised, data breaches are expensive to the institutions. In 2018, healthcare systems paid out over 28 million in HIPPA fines and penalties.

Although hospital IT departments do a great job of thwarting attacks, having a secure, single-user login is the last line of defense before a breach happens. Hospital systems are increasingly interconnected, and one piece of software treated with lax security could jeopardize the whole organization.

It might not seem like a big deal to share a password among colleagues, especially if there is a rotating staff. It can seem like an administrative efficiency; instead of having to add and remove user accounts periodically, just give the login to new staff. In a trusting environment of medical professionals, it may seem highly unlikely that this practice would lead to a problem, but it does increase exposure to hackers in several ways.

First of all, the distribution of a shared login creates opportunities for hackers. If a password is emailed or sent as part of onboarding materials to temporary team members, it can be more easily stolen. Lack of accountability gives a user less incentive to keep the shared login as secure as possible. Use of a login that has been passed around may cause users to save the password insecurely on their computer desktop or a similarly convenient location for easy access. If the password storage device does not have a secure password itself, it can be an easy win for a hacker.

Another problem is the lack of changing the password periodically. Those who use shared logins typically hand out the same password over a long period of time. The more logins that are handed out to team members, the more important it is to change the password from time to time in case the password is mishandled or ends up in a compromised situation. However, changing a password and notifying all users is inefficient and could cause a lapse in access if they don’t receive the notification.

Shared logins also prevent an IT team from tracing the source of a security breach quickly. In the event that a breach occurs, time plays a role in the effectiveness of containment. Single user logins give an easier path to find the attack and shut it down to limit the damage. Many IT departments have policies against shared logins for this reason.

Passwords are highly prized targets for hackers. Not exercising the highest level of security practices in healthcare can lead to compromising patient data. How can we encourage or make it easier for users to never share a login and to change their password regularly?

posted by adgrooms on May 22, 2019

The onslaught of hackers in healthcare never ceases. Personal Health Information (PHI) is so essential and valuable, it is a tempting target. Even with multi-layered security systems in place, some hackers still slip through. Phishing is currently one of the most popular ways to breach the security layers. It is perpetrated by preying on employees through their email. In a recent survey, 83 percent of physicians have experienced a cyber attack. 55 percent of those incidents were the result of phishing. Everyone who works in healthcare and uses email (which happens to be everyone) needs to understand what phishing is, how to spot it, and how to avoid it.

Phishing is a fraudulent attempt to obtain information from you by appearing as a trusted entity online. Often these are so well disguised that even a cautious person could be deceived. They will entice the intended victim to click a link or enter a password, usually with the goal of installing ransomware. Ransomware is a program that encrypts essential data so that only the hacker can access it. For organizations without a failsafe in place, this blocks access to crucial information until a ransom is paid to the hacker, or a painful, expensive, time-consuming data restoration is performed.

So how do you spot phishing? Be wary of anything that asks you to verify an account or enter any personal information, especially if it is conveying a sense of urgency. It is a common tactic to instill panic to provoke a victim to act quickly without verifying the legitimacy of the source. If the email does not refer to you by name, that may be an indicator. Often a hacker will send out emails to thousands of addresses without knowing the full name of a person, while a legitimate sender with whom you have a relationship will address you personally.

Be aware of links in emails. Hyperlinks are underlined, highlighted words that contain a web address link. You can check a hyperlink by hovering over it and the full URL will appear. If the URL does not match the message or looks suspicious, do not click. Examine the link closely because it may look like legitimate when in fact, it may contain a slight variation. For example, healthinstitution.com could be healthinstitution1.com or healthinstitution.net, a minor variation that is easy to miss, especially in a hurry. If the message appears to be important and from a known source, instead of clicking the link in the email, enter a known URL for the site directly in your browser.

IT departments have checks, such as email filters, in place but phishing attacks are breaking through the barriers at an alarming rate, compromising thousands of patient records as documented on Health IT Security’s website. Be vigilant and take a closer look at unfamiliar emails. Contact your IT department if you come across something suspicious. You may be the last line of defense for your organization.

posted by adgrooms on May 17, 2019

We have talked about how EHRs can benefit physicians and hospital staff by improving the quality of information and facilitating communication. One of the things severely lacking from EHRs is communication TO the patient about their care. Patients and their families want to be informed about treatments, and providers need patients to participate in their care management.

Currently, information is presented to patients and family verbally across many individuals in the health system - physicians, nurses, assistants, techs, therapists, social workers, dietitians .... There are so many people stopping by the room, talking, writing down notes, scanning medicine and IV bags, evaluating various aspects of the patients status. When family members or a patient advocate staying in the room switches out for a break, they must hand off information to someone else. If the information is not centralized and consolidated, then how accurate will the information be after several hours and possibly several handoffs?

What if EHR companies could develop a patient facing interface with all of this information accessible anytime for the patient. Not like the current clunky patient portal containing just part of the picture, it needs to be a robust, user-friendly interface with the information presented in an easy-to-read and easy-to-navigate format.

This information could include charts, prescription information, timelines, and other notes pertain to treatment and recovery of the patient, utilizing data visualization for easier understanding. Furthermore, you could have a log available to the patient and advocates in the room keeping track of who has stopped by and what action has been performed or what instruction was given at what time. This system could have an option for hospital personnel to scan in, to record their visit. It could include a manual input, to record "civilian" visitors, in case a friend or religious figure stops in. This piece would not impact the patient's health but in the interest of serving the patient, may be a nice benefit.

Patient participation is needed to help physicians and medical staff do their jobs well. An informed patient is better able to participate in their own care.

posted by adgrooms on May 8, 2019

We have spoken about the cost of EHRs but there is a not-yet-realized, potentially very valuable benefit. We are collecting huge amounts of data every second in health care. In other facets of life, big data is telling us more about ourselves from different perspectives. The collected health data has the capability to improve patient outcomes around the world.

Making meaningful use of this data requires careful analysis and good statistical techniques to understand what the data is telling us. Raw data presented in a spreadsheet or just lines and rows of numbers is extremely hard for most people to digest and understand.

There is compelling information to suggest, but no definitive studies, that visual data is processed more efficiently than textual. One MIT study found that the brain can process an image in as little as 13 milliseconds. Data visualization can condense information and give a more intuitive understanding of how different data points interact with each other. It can also help to quickly spot outliers and errors that may be relatively invisible when looking at a large set of numbers. We can detect trends and make informed decisions to encourage or counteract these trends to achieve desired outcomes.

EHRs could use data visualization to help paint a more complete picture of an individual patient or entire population than numbers alone, especially as mobile health monitoring devices, such as Fitbit activity trackers and the Apple watches, become more common. Better visibility could help motivate people to take more ownership of their choices to affect their own data positively. Visualized data could also increase efficiency for doctors giving them the ability to more quickly digest complex patient data points and make diagnoses.

Data visualization can improve outcomes by helping doctors to communicate how different data relates to a patient’s health at a glance. A Cornell study showed that with a visual 97% of people were convinced of a scientific claim being accurate vs 67% without the visual. This could be helpful when doctors interact and discuss various issues with patients increasing trust and leading to higher rates of understanding and compliance when they leave a clinical setting.

Data is being presented everywhere in medicine. We can make great improvements in healthcare by increasing and improving visualization for doctors and patients alike in the software they interact with every day.