Protecting Yourself Against Health Care’s Escalating Cybersecurity Problems- Jo Kline, J.D.
In 2020 alone, the personal and medical information of over 29 million patients was exposed in 642 cybersecurity breaches at health care-related organizations. That exceeded 2019’s number by 25 percent, and 2021 has already surpassed the 29 million mark. In fact, since HIPAA’s reporting requirement took effect in 2009, more than 266 million electronic health records (EHRs) have been lost, exposed or disclosed. That includes the granddaddy of all breaches—to date. In 2015, a provider’s employee innocently opened a phishing email and exposed the private medical information of 78.8 million customers. Ouch.
Likely you’ve never before heard of the federal agency that assists in overseeing the sanctity of your medical records, the Cybersecurity & Infrastructure Security Agency (CISA.gov). Its role in our lives took on more significance when over one-third of the entire U.S. workforce began sheltering in place in 2020, relying 100 percent on computers and the Internet for communication and work product. But long before that, CISA’s mission touched nearly every aspect of our lives, from online shopping to medical records. There is now underway a nationwide, HHS-mandated restructuring of EHR systems that will directly impact all health care-related entities and health care consumers. It seems like an ideal time to learn how digital security directly impacts your ability to achieve the best health outcomes.
You’re no doubt familiar with HIPAA, the Health Insurance Portability and Accountability Act, if only the part about having a right to see your medical records. But these HHS regulations play another role that’s less visible. Since 2009, HIPAA-covered entities are mandated to keep all patient health information from being accessed, used or read by unauthorized parties. That’s why the volume is turned up on the waiting room television, and that’s why a simple car break-in cost one provider over a million dollars in fines. We only know about the misdemeanor theft of an employee’s unencrypted laptop because HIPAA-covered entities are required by law to notify the government, affected patients and the media whenever the medical records of 500 or more individuals are breached.
Seven-figure ransomware attacks earn the headlines, but cybersecurity breaches get very personal for patients once their user names, passwords, Social Security numbers and credit card information are converted into negotiable stolen identities. Whether hackers gain entry through an individual worker’s oversight (a recent study showed one-fourth of health care employees had received no security and privacy training in 2020) or a lack of effective systemic safeguards (ransomware attacks now account for almost half of all security breaches), threats to patients’ welfare remain the same. Damages from identity theft can range from annoying to costly, but when it comes to the breach of medical records, cyber thieves can steal your safety as well as your privacy.
While a cyberattack is in progress, medical records are most likely not accessible in acute or emergency care to verify medical history, medications or test results. Even after the ransom has been paid, the retrieved patient data may be corrupted and no longer useable. Is it even possible to completely and accurately reconstruct thousands of medical records from scratch? What is the risk of receiving a diagnosis based on someone else’s medical data? Or getting a prescription that disregards a potential drug interaction? Now you see where the life-altering risks can lurk.
Whenever you’re accessing the Internet for health care-related needs, here are tips to minimize the threat of cyber attacks:
- Regularly review your electronic health records for accuracy and keep a copy of vital information (e.g., providers’ names, chronic conditions, medications, allergies, medical history) for personal storage on a flash drive or CD—or on paper. Keep it current.
- If you see unauthorized activity on credit cards and bank accounts, it may indicate there’s been a breach of your EHRs. Contact your health care provider(s).
- Talk to health care professionals about potential security risks in using your home network for telehealth, such as wearable monitors and telemedicine patient care.
- Avoid using public Wi-Fi access and don’t leave mobile devices unattended.
- Learn how best to preserve online security for your level of use, whether teleconferencing with coworkers, friends or your doctor. If it’s easy to learn your dog’s name from social media, best not to use it as a password.
- One-fifth of computer users never back up files. Trust me, you only need one crash to truly appreciate the value. Invest in malware and make provisions for secure backups.
- And don’t open attachments in unsolicited emails, no matter how cute baby goats are.
Health care is complicated. The cybersecurity of medical records is just one of many challenges health care consumers face in preserving rights to consent, autonomy and safety. The choice is yours. The time is now. Patient or pawn?