Healthcare News & Insights

Your next breach risk could be your email

The feds have released guidance to providers on how to protect patient data — but a recent breach shows why training staff may be the most crucial step. 

ThinkstockPhotos-487606535After two of the biggest breaches of patients’ protected health information (PHI) in healthcare history, you might think your facility’s biggest threat is from hackers infiltrating your system with complex software and viruses.

But hospitals also have to be prepared for cyberattacks in simpler, seemingly innocent forms — like email phishing schemes.

Breach details

Case in point: Seton Healthcare Family, a Texas-based facility that’s part of the Ascension Health System, recently announced it experienced a breach due to a phishing scam.

In December, an employee at the facility opened a fraudulent email from a hacker, which exposed the system to further attack. An investigation into the breach determined that approximately 39,000 patients’ PHI was compromised by the attack.

Some of the data exposed by the scheme included:

  • medical record numbers
  • Social Security numbers
  • clinical information, and
  • insurance information.

The cost of Seton’s breach will be more than just whatever fines it might incur for HIPAA violations. The facility is also offering free identity and credit monitoring to those affected by the breach, who will likely file legal complaints against the hospital.

Phishing schemes like the one Seton experienced are becoming more common across the industry. A similar phishing scheme affected another facility in the Ascension network, and reports say there’s been a spike in scams aimed at patients who’s information was compromised by the recent Anthem breach.

Updated security guidance

Seton’s breach is a good reminder to other facilities about the importance of employee training and collaborating with vendors on security issues. Currently, Seton is working with its email service provider to prevent these kinds of phishing issues in the future.

To help other providers avoid similar pitfalls, the Office of the National Coordinator of Health Information Technology (ONC) and the Office for Civil Rights (OCR) recently updated their guidance for securing PHI.

The guidance covers important topics for facility leaders to consider, including key steps for meeting HIPAA criteria, and implementing a security management process.

Notably, the guidance also gives examples of questions providers should ask vendors before purchasing health IT to ensure new electronic health record systems, email or other health IT devices are properly secured. Some of the questions are:

  • If staff needs to contact the developer, or vice-versa, how can each party verify the other’s identity?
  • Will the developer update programs remotely and how will this access be secured?
  • Does the software account for certain security features like encryption, auditing functions, user IDs and passwords, and automatic time-out?
  • Does the system allow for secure messaging to patients?

Although these questions are good preventive steps to take, hospital leaders should still take time to regularly train their staff about cybersecurity and HIPAA issues, such as how to spot phishing emails from legitimate ones.

It may also be necessary for hospitals to follow Seton’s lead and work with vendors to further customize and secure your systems and health IT.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.