Healthcare News & Insights

Hackers add new targets to their hit lists

Cyberattacks continue to rise and hackers are setting their sights on new targets — the feds and the Cloud. 

ThinkstockPhotos-180516757In the most recent cases, a government agency and an electronic health record (EHR) cloud vendor reported data breaches due to infiltration by an unknown party.

OPM second hacking

One breach involved the Office of Personnel Management (OPM), iHealthbeat reports. Officials at the agency announced that hackers had infiltrated its security clearance database.

Hackers were able to gain access to information about current and past staff members, including:

  • social security numbers, and
  • forms with records of past treatments and mental health issues.

Although hackers had access, officials are still investigating if any of the data was actually stolen.

This is the second reported breach by the OPM in recent months. An agency insider says the latest breach was discovered while federal investigators were looking into the first incident.

Security experts involved with investigating and preventing cyberattacks have noted that hackers often lay the groundwork for future attacks when they breach systems, which can lay dormant and undetected for months.

As the OPM case shows, it’s becoming increasingly more important to allocate resources for more frequent self-evaluations. And studies have shown that the majority of data breaches reported are discovered by employees assessing the system.

Cyberattack in the Cloud

Cloud EHR vendor, Medical Informatics Engineering, also experienced a recent breach that affected the records of some of their clients’ patients.

The vendor announced on May 26 it found suspicious activity on one of its servers, and alerted the FBI Cyber Squad and third-party security experts.

So far, investigators found that the attack was initiated much earlier than it was discovered, and that the hackers gained access to some patients’ protected health information (PHI), including:

  • names
  • birthdays
  • medical conditions
  • lab reports
  • Social Security numbers
  • mailing addresses, and
  • email addresses.

The vendor is advising affected patients review recent account statements and notifying employers, healthcare providers and their insurers. It’s also offering them free credit monitoring and identity theft protection.

Providers aren’t the only ones trying to fend off cyberattacks and protect sensitive data. But unlike health organizations, not all EHR and IT vendors have the same level of knowledge and understanding about how they’re required to secure that information.

Business associates (BAs), like vendors, can pose serious risk to patients’ PHI, and will soon be under federal scrutiny for HIPAA compliance. Hospital leaders will have to take extra steps to ensure BAs are taking protective actions, like regular risk assessments, before agreeing to do business.

The feds, however, aren’t expected to begin evaluating BAs until next year. This gives providers additional time to curate their list of BAs and conduct research on EHR vendors for proper HIPAA compliance and security provisions.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.