Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

To Improve Health Data Security, Get Your Staff On Board

Posted on February 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.

But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.

Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.

But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.

In my opinion, the changes should include following:

  • Boost security education:  While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
  • Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
  • Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
  • Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use.  Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.

Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.

10.5 Million Person Healthcare Hack Revealed 19 Months Later

Posted on September 21, 2015 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As we (and pretty much everyone) predicted, the number of healthcare breaches continues to grow. In the latest case, Rochester New York based Excellus BlueCross BlueShield and related companies were hacked. As per usual, the hackers mounted a “sophisticated cyberattack” which compromised data including names, addresses, telephone number, social security numbers, financial account information, and some medical information from “shadowy groups in China.”

Here’s a description of the 10.5 million records that were affected:

Affected parties include about 7 million people who are insured by Excellus, patients covered by those policies and Blue Cross Blue Shield members from other parts of the country who received medical care that was billed through Excellus, Redmond said. Excellus is the largest health insurer in the Rochester area.

The records of an additional 3.5 million people who receive services through five Lifetime units — Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions — also were breached by the hackers.

Although, the irony of this story is that the initial hack seemed to have occurred on Dec 23, 2013, but wasn’t discovered by the staff until much later. The report suggests that the hack wasn’t discovered until they did an investigation into their own systems after the 78.8 million person Anthem breach. What’s not clear to me is why it took them so long after that breach which occurred in February 2015 to finally announce their own breach.

The company is offering the standard 2 year’s of identity and credit card protection to affected individuals. Does this all feel somewhat routine now? I’m sorry to say that it’s become so common that it almost feels like a non-event. It probably doesn’t feel that way to the millions of patients who got a notice in the mail. Although, with breaches of Google, Amazon, Target, etc, I think we’re all becoming somewhat numb to breaches of our personal data.

State of Utah Medicaid Breach Affects 800,000

Posted on April 10, 2012 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The reports and details around the State of Utah Medicaid Breach are starting to come out. An article in the Salt Lake Tribune gave the following numbers:

* 280,000 social security numbers were expose to hackers
* 500,000 less sensitive information like names and birth dates was exposed

This is interesting since the initial data breach number was at 24,000 Utahns on public health insurance were at risk. 800,000 is quite a few more people. The Tribune article says it touches 1 in every 6 Utahns. Compared with other breaches, that’s huge.

I know people love to read reports about healthcare data breaches (see one of my most popular posts on HIPAA Privacy Violations and HIPAA Lawsuits). It’s kind of like the rubber neckers on the freeway when there’s an accident. We have to turn our head to see what happened.

Here’s another part of the article linked above that provides more details.

So far, there have been no reports of people using the information to obtain fraudulent credit cards and loans.

But due to the breach’s scope and potential for harm, the FBI is now investigating.

“Computer intrusions are one of our top priorities,” said Greg Bretzing, assistant special agent in charge of the FBI’s Salt Lake City office. He declined to comment on the investigation or confirm the suspicions of state technology officials who traced the hacker, or hackers, to Eastern Europe.

Unfortunately, we’re really short on details of what actually happened. Not all hacks are created equal. In many cases, a computer gets hacked by a bot with no thought of what information is actually on the server. These bots just scan the internet for vulnerabilities and go through any doors that people left open. Often it’s just about the conquest and not about the information on the actual machine. Unless they give us more details, it will be hard to really know if this was intentional or coincidental.

Although, in this breach, a whole lot of social security numbers are at risk and their is a market for those since our whole financial life revolves around that number. I’ve had a number of Twitter conversations about the market for breached healthcare data. I’m still not convinced there is much of a market for it. I could imagine a scenario where a HUGE amount of aggregate healthcare data has some real value and could be sold to someone. I just don’t see the same value of an individual health record like there is with an individual social security number. Although, I’ll never underestimate the creativity of humans.

The State of Utah Medicaid is offering the standard 1 year identity theft service to those affected. Seems like identity theft services might be the business of the future since every breach turns to them to cover what happened. They haven’t offered any healthcare data identity theft services since I’ve never seen such a service. Is that service not available because it’s not really a problem? I know healthcare identity theft is an issue, but I don’t think those issues stem from breaches. I’d be interested if someone has information that says otherwise.

I’ll also add my regular disclaimer. this healthcare data breach has NOTHING to do with an EHR breach. I’m sure we’ll have a major breach of EHR data at some point in the future, but as of now insurance data and lost devices seems to dominate the healthcare breaches that I’ve seen.