Data Security in Healthcare in the US
For quite some time, the healthcare system lagged in terms of cybersecurity. However, a lot has happened in the last 20 years: New laws and higher budgets have made the healthcare industry retrofit and invest in new technologies. Clinics and medical practices are getting better at handling personal data and can increasingly avoid data theft. But what exactly does the processing of data in the healthcare industry look like in the USA? How is data processing regulated? And most importantly, how secure is sensitive data collected in a practice or hospital?
What is the HIPAA/HITECH Law?
The so-called Health Insurance Portability and Accountability Act was passed in 1996 during the term of President Bill Clinton. The law prescribes rules for the handling of personal data, which must be adhered to by many stakeholders in the health care sector. Thus, the law applies to physicians, pharmacies and hospitals, health insurers and government health programs, and health care clearinghouses. They form the cornerstone for the secure and confidential processing of personal data in electronic patient files (EHR) and in the healthcare sector in general.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) came into force in 2009. It promotes the introduction of technologies designed to simplify the processing of patient data. These include an electronic health record (EHR), which is now widely used in America.
What Data is Captured in an Electronic Health Record?
The data processed is a so-called “special category of personal data”. This type of data is considered significantly more vulnerable because it reveals sensitive information about a person's physical and mental well-being. When this data falls into the wrong hands, it can be extremely harmful for the person effected. For this reason, health data is extremely interesting for hackers and should be protected adequately. This protected analog and digital personal health information is called “Protected Health Information”, abbr. PHI and ePHI.
That is why standards have been established which must be adhered to by medical practices in order to ensure coordinated medical care and the security of healthcare data. These standards prescribe in detail how the organization, security, and maintenance of an ePA should look like.
In summary, the content of a file consists of all information concerning the physical and mental well-being of a patient, e.g. medication lists, allergies, anamnesis, treatment plans with diagnoses, or vaccinations.
The advantage of a personal electronic patient file, of course, is its simple handling and transparency for doctors. Files, diagnoses, findings, and other information no longer have to be sent from practice to practice and simplify the treatment of a patient immensely.
Nevertheless, this transparency can come with risks for the privacy of the patient’s data. There is information in those files that you only want to discuss with your doctor and a few close people. And sadly, there are still too many instances, where successful data thefts are revealed that make sensitive data openly available to third parties.
How Desirable is Health Data for Hackers?
“Who should be interested in my data?” This is unfortunately still a widespread reaction from people who underestimate, how valuable health data can be. According to a report by cloud security firm Bitglass, there were nearly 600 healthcare data breaches in the U.S. in 2020 — 55% more than the previous year.
Not only did the number of data breaches jump last year, but the average cost per data breach increased by 10.5%. A total of 26 million people were affected, or almost one in ten Americans. Hacking and IT incidents led to 67.3% of all healthcare data breaches. Unauthorized disclosures led to 21.5% of breaches, while loss or theft of devices accounted for only 8.7% of breaches. Source: Healthcare Breach Report 2021
In 2020, hackers gained access to the databases of two major health systems, UPMC and Nebraska Medicine. These breaches involved health information such as Social Security numbers, dates of birth, bank or financial account numbers, insurance information, and diagnosis, treatment, and medication information for more than 250,000 individuals.
Especially in companies that work with biometric or health data – and therefore with special categories of personal data – it is recommended, in the opinion of the German data protection expert Wolfgang Schmid, to take special precautionary measures, as the person responsible is obliged to maintain specific measures to safeguard the interests of the person concerned.
In case of a hack, the data is usually sold. Even anonymous health data, if combined with other data sets, can give conclusions about a person, and thus be clearly identified.
HIPAA and the Encryption of Data
If data is encrypted both at rest and in transit, it ensures that unauthorized third parties receive only data that is unreadable, indecipherable, and unusable by the attacker in the event of theft. In the U.S., however, encryption is only recommended to protect health data with encryption, not mandatory. This is a problem because strong encryption could have prevented many of the latest healthcare cybercrime cases.
Encryption converts data into an unreadable format called ciphertext. Only with a security key that converts the encrypted data back to its original format can the information be decrypted. If a laptop, smartphone, or USB stick containing encrypted data is lost or stolen, it will not result in a HIPAA breach. This is because if the data is encrypted and the unauthorized person does not have the appropriate key, patient data will not be exposed.
How Can Boxcryptor Help?
Boxcryptor is a simple but extremely secure way to encrypt and thus protect data stored in the cloud, on a NAS, file server, on hard drives, or locally. The software provides healthcare organizations with an easy way to protect data through end-to-end encryption. This protects PHI from unauthorized parties following HIPAA. Boxcryptor uses AES encryption with a key length of 256 bits. Since there is no viable attack on AES to date, this is the preferred encryption standard for governments, banks, and high security systems around the world. Click here for more information on Boxcryptor and cloud security for the healthcare industry.