The healthcare industry wasn’t always considered a primary target for cybercrime. However, the rapid emergence and adoption of technology by providers along with the vast amounts of protected health information (PHI) they’re required to handle have resulted in it being the most targeted industry in the United States.
Cyberattacks on healthcare providers have resulted in 3,705 data breaches and 267 million compromised medical records since 2009. The biggest breach to date occurred in 2016, when almost 80 million patient records were stolen from health insurance company Anthem.
Healthcare organizations suffered the highest costs of data breaches for the 11th consecutive year in 2021, averaging $9.23 million. They also saw a 185 percent increase in the number of breaches compared to 2020. According to the World Economic Forum (WEF), since the start of the COVID-19 pandemic, roughly 10 million records have been stolen, averaging 155,000 per breach.
Protected Health Information
Cybercriminals often target healthcare providers because health data, especially PHI, is a valuable commodity. The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or their business associates. Stolen PHI can be a dozen times more valuable on the black market than credit card information, ranging from $10 to $1000 per record in online marketplaces (depending on completeness).
Access to PHI within a healthcare organization should only be given to employees when it’s required for their job. Safeguards such as encryption, unique user identification, automatic logoff and tracking logs should be used to ensure only those authorized to access PHI do so. Providers dealing with PHI should consider upgrading all computing devices with up-to-date antivirus software and ensuring remediation plans are implemented for user authentication deficiencies. Such access and safeguards should be reviewed on a regular basis.
The HIPAA Security Rule
Healthcare providers are required to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) and its administrative, physical and technical safeguards because they’re responsible for creating, receiving and transmitting PHI. PHI under HIPAA includes 18 identifiers, such as names, dates, geographic data, social security and account numbers, email addresses, fingerprints and internet protocol (IP) addresses.
Health and Human Services (HHS) Penalties
Although only about half of data breaches are the result of criminal or malicious intent, a lack of compliance with the HIPAA Security Rule costs healthcare organizations an average of $14.82 million. This amount doesn’t include costly civic and/or criminal HIPAA violation penalties of up to $50,000 each that can be levied by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. The ten most common HIPAA violations include:
- Snooping on healthcare records
- Failure to perform an organization-wide risk analysis
- Failure to manage security risks
- Denying patients access to health records
- Failure to enter into a HIPAA-compliant business associate agreement (BAA)
- Insufficient ePHI (protected health information) access controls
- Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
- Exceeding the 60-day deadline for issuing breach notifications
- Impermissible disclosures of PHI
- Improper disposal of PHI
The effects of providers failing to comply with HIPAA guidelines aren’t only financial. Cyberattacks on hospital information systems have had substantial consequences, with closed practices, canceled surgical procedures, diverted ambulances and disrupted operations. A study by the WEF found that 15 percent of ransomware attacks led to patients being redirected to facilities, and 20 percent caused appointment cancellations.
Similarly, a reported 55 percent of physicians have experienced a phishing attack. Phishing is a common attack strategy against healthcare employees and can be a remarkably low-cost and effective way of obtaining real credentials to health information systems or inducing employees to click on malicious software.
Cybersecurity For Automated Patient Outreach Tools
Implementing and maintaining high levels of cybersecurity is not only possible for healthcare providers but also necessary, especially because patients who trust their health systems to protect their data likely receive better outcomes. It’s essential for providers to maintain the confidentiality of patient data to prevent medical identity theft and assure patients that they can safely share sensitive health information.
Prioritizing cybersecurity also improves patient safety and can be achieved by following three major rules from the HIPAA Security Rule that apply to technology:
- Any technology that stores PHI must automatically log out after a certain time to prevent access by someone without credentials.
- Anyone with access to PHI must have a unique login that can be audited based on their use.
- PHI must be encrypted.
For providers looking for alternative engagement solutions to traditional manual outreach, automated communication tools such as HIPAA-compliant two-way text messaging enable them to improve their ability to scale patient outreach through personalized patient communication and engage targeted populations. Customized messaging protocols can be tailored to patients meeting specific criteria such as age, risk factors, location, last visit date and more.
Automated outreach is generating better outcomes amidst today’s complex healthcare landscape by increasing appointment attendance, driving preventative care, enhancing chronic disease management, improving medication adherence and reducing hospital admissions. It also expands access to health information while streamlining vaccine management and strengthening the patient-provider relationship.
Healthcare technology that enables automated outreach can generate patient feedback following visits, enabling practices to quantitatively measure the quality of outcomes from the patient’s perspective while also providing service recovery for dissatisfied patients. In medical facilities where secure texting solutions have been implemented, providers have reported an acceleration of the communications cycle, leading to workflows being streamlined, productivity being enhanced and patient satisfaction being improved.
Automated communication technologies like Providertech’s CareX platform that provide HIPAA-compliant SMS text messaging offer an effective solution for providers to proactively keep in touch with their patients before and after encounters—without overextending already constrained staff and budgets. Schedule a demo with us to learn more!