Criminals target healthcare systems for financial info more than EHRs
September 23 is quickly approaching, and for healthcare organizations and business associates - including security and online backup solution providers - this landmark is of supreme importance.
The date marks when the Health Information Portability and Accountability Act's Omnibus final rule goes into effect. For health industry professionals who aren't compliant with security and data standards by the time this day comes, the results could be costly.
However, when implementing solutions to protect patient health information (PHI) from data breaches and the resulting effects, it's helpful for these organizations to know which threats are the most prominent.
Criminals are financially driven
Recently, Verizon released its Data Breach Investigations Report, in which it analyzed the scope of breaches across industries to identify the most pressing security concerns.
In the healthcare sector, the research revealed some unexpected findings. While the industry has been primarily concerned with possible data breaches and their targeting of electronic health records (EHRs), Verizon found that the majority of attacks focus on point-of-sale (POS) devices, not EHRs.
Specifically, POS terminals and servers comprised the greatest number of breaches in the healthcare industry, followed by desktop/workstations, database servers, backup tapes and documents.
"While these results may be hard to believe initially, remember that doctors' offices and small clinics (which were the majority of those organizations breached) tend to take in real money in the form of credit cards, cash and checks for both self-pay customers and for the co-pay portion of the visit cost," ZDNet explained.
And while consumers aren't carrying the majority of the burden, thanks to insurance coverage, the amount they still have to pay continues to prove enticing to thieves.
But don't get lazy with EHRs
While the Verizon research offers clinics and organizations a necessary reminder to safeguard patients' financial information and payments, it does not mean providers can afford to ignore or grow complacent about issues related to protecting EHRs.
A slew of recent data breaches continue to underscore the growing threat healthcare organizations face. As we discussed in a recent blog post, Advocate Medical Group was the victim of the second largest healthcare data breach reported to the Department of Health and Human Services since 2009, when a mandatory notification rule was implemented.
Approximately 4 million records were stolen, and The Chicago Tribune reported that Advocate is now facing a class-action lawsuit from patients who allege the organization did not do enough to protect their PHI. In response, Advocate released a statement explaining that it does not believe PHI was targeted or will be misused.
When the Omnibus rule goes into effect in only a couple of weeks, healthcare organizations that experience similar breaches could face even steeper fines, while MSPs and VARs will also be held accountable. All this makes the parnterships with trusted service vendors even more important, as HIPAA-compliant services will be critical to the IT channel's ability to offer clients peace of mind.