According to a report by the Identity Theft Resource Center (ITRC), there were 599 reported data breaches in the healthcare industry in 2020, affecting over 28 million individuals. This represents an increase from 525 data breaches in 2019 and 471 data breaches in 2018. HIPPA stated that 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.
However, it is worth noting that not all data breaches are reported, and the actual number of breaches and individuals affected may be higher than these reported figures, even though data breaches in the healthcare industry continue due to the availability of valuable information.
Brief history of PHI and ePHI
Protected health information (PHI) refers to any individually identifiable health information that is maintained or transmitted in any form, including paper, oral, or electronic. PHI has been regulated in the United States since the passage of the Privacy Act of 1974, which established standards for the collection, use, and disclosure of personal information by federal agencies. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It made sure that personal health information was protected in the healthcare industry as well.
The emergence of ePHI
The rise of electronic health records (EHRs) and other digital health technologies has led to the emergence of electronic protected health information (ePHI), which refers to any PHI that is transmitted, maintained, or stored in electronic form. ePHI has the same security and privacy rules as paper-based PHI, but it is often more vulnerable to cyber threats because it is more likely to be accessed, changed, or destroyed by malicious actors.
API Security as an important part of ePHI
API security is an ePHI security issue. EHRs and other healthcare systems employ APIs to efficiently communicate data. APIs communicate or exchange ePHI under the same security and privacy rules as other electronic systems. To maintain the security, integrity, and availability of ePHI transferred over APIs, healthcare organizations and their business associates must employ administrative, physical, and technical measures.
In recent years, several high-profile healthcare data breaches have exposed millions of individuals’ personal and medical information. In turn, these breaches moved the CISO to be in charge of protecting PHI and ePHI, raising healthcare regulatory scrutiny and enforcement. As technology dominates healthcare, firms must prioritize ePHI security and ensure their CISOs are protecting patient data, including API security.
CISOs create and implement security programs that address electronic data, network, and API security issues. CISOs examine security risks, create security policies and procedures, and teach staff on security best practices. They also install technical safeguards like access controls, encryption, and firewalls and monitor and audit security systems and processes to ensure they work, overall a CISO is in charge of a secure PHI operation.
CISOs should be aware of Best Practices for Healthcare CISOs to Secure PHI, as it acts as a guiding light into a secure PHI operation.
7 significant healthcare data breaches
Anthem Inc.
In February 2015, health insurer Anthem Inc. announced that it had experienced a data breach that may have exposed the personal and medical information of approximately 80 million patients. The breach was caused by a phishing attack, in which cybercriminals tricked employees into providing their login credentials.
Prevention options include regular employee training on phishing scams and the implementation of multi-factor authentication.
Excellus BlueCross BlueShield
In September 2015, healthcare insurer Excellus BlueCross BlueShield announced that it had experienced a data breach that may have exposed the personal and medical information of approximately 10 million patients. The breach was caused by a cyberattack that exploited a vulnerability in the company’s website.
Prevention options include regular security assessments and the implementation of regular security updates and patches.
Hollywood Presbyterian Medical Center
In February 2016, Hollywood Presbyterian Medical Center in Los Angeles announced that it had experienced a ransomware attack that had caused the hospital to shut down several systems. The hospital paid a ransom of $17,000 in bitcoin to the attackers to regain access to its systems.
Prevention options include regular security assessments and the implementation of regular security updates and patches.
Medical Informatics Engineering
In May 2015, healthcare IT provider Medical Informatics Engineering announced that it had experienced a data breach that may have exposed the personal and medical information of approximately 4 million patients. The breach was caused by a cyberattack that exploited a vulnerability in the company’s system.
Prevention options include regular security assessments and the implementation of regular security updates and patches.
UnityPoint Health
In 2018 and 2019, healthcare provider UnityPoint Health experienced two data breaches that exposed the personal and medical information of approximately 1.4 million patients. Phishing attacks, in which cybercriminals tricked employees into giving them their login information, led to the security holes.
Prevention options include regular employee training on phishing scams showing use cases and the implementation of multi-factor authentication.
American Medical Collection Agency
In 2018 and 2019, billing vendor AMCA experienced a data breach that affected several healthcare organizations, including LabCorp, Quest Diagnostics, and BioReference Laboratories, and resulted in the exposure of the personal and financial information of millions of patients. A cyberattack took advantage of a weakness in the company’s web payment page, which used an API to connect to its payment processing system. This led to the breach.
Prevention options include Regular security assessments and the implementation of regular security updates and patches. Additionally, proper API security measures could have been put in place, including access controls, encryption, and security testing.
Magellan Health
In April 2020, healthcare insurer Magellan Health announced that it had experienced a data breach that may have exposed the personal and medical information of approximately 365,000 patients. The breach was caused by a phishing attack, in which cybercriminals tricked employees into providing their login credentials.
Prevention option: Employees could have been taught and guided more about phishing scams, and multi-factor authentication could have been used to prevent the breach.
To conclude
Healthcare data breaches have been increasing in recent years, and it is essential for healthcare organizations to prioritize the security of protected health information (PHI) and electronic protected health information (ePHI). CISOs play a crucial role in creating and implementing security programs to address electronic data, network, and API security issues. The high-profile data breaches that this article talks about show how important it is to do regular security checks, put in place security updates and patches, and teach employees how to spot phishing scams and use multi-factor authentication.
As the healthcare industry continues to use digital health technologies, it is very important to keep PHI and ePHI safe, secure, and easy to access.
