Patient Data: Are You Being Responsible For Its Well Being?

Safeguard your identity by protecting the people who guard it.

Understanding HIPAA

Do you remember your last trip to the doctor? If it was your first visit, they likely handed you a stack of paperwork—and when you filled it in and handed it back, your data was entered into an electronic database. While you were waiting for the doctor, a nurse came in and collected some more data, and then you met with the doctor, who collected even more data. Every bit of this data was captured and put into a database, and over the years, your protected health information has grown into a digital data gold mine. A gold mine that, if stolen, makes it easy for a cyber-criminal to commit fraud.

Identity thieves are not interested in whether or not you have high cholesterol or blood pressure. What they do care about is all the personal data that is linked to your protected health information (PHI): your name, address, social security number, health insurance member number, beneficiaries, etc. This is data that can be used to commit fraud. For this reason, the government enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to help protect the PHI data of American citizens. HIPAA is meant to ensure that healthcare providers, healthcare plans and healthcare clearinghouses implement policies and controls that safeguard your PHI, leveraging hefty fines against any organization that fails to comply. But even this is not enough to stop identity theft from occurring.

The personal impact of a healthcare data breach

Can you imagine child protective services taking your children away when you have done nothing wrong? It sounds ridiculous, but it nearly happened to Anndorie Cromar. When a woman used Cromar’s medical identity to have her baby—born with drugs in its system—at a nearby Utah hospital, child protective services threatened to take Cromar’s four children from her. Though DNA testing helped prove that the baby’s mother wasn’t Cromar, it took years for her medical records to get corrected.

Another woman, Linda Weaver, received a bill for the amputation of her right foot. But she still had two legs! Though she contacted the hospital, explaining that this bill could not possibly be for her, they refused to drop it. It was only when she threatened litigation that they finally did so. Though Weaver was assured that the thief’s info had been purged from her history, when she went in for an emergency surgery, a nurse assumed from Weaver’s medical information that she had diabetes—she didn’t.

Healthcare fraud is a booming business, and even though many of those involved are getting caught, there is still a major impact of fraud on the healthcare system.

Preventing healthcare breaches

According to the 2018 Verizon Data Breach Investigations Report, healthcare organizations reported 536 data breaches, the most of any sector. In addition, Verizon also found that “healthcare is the only industry where the threat from inside is greater than that from outside.” Since 2016, approximately twenty-five organizations have paid over fifty million total in HIPAA violation fines. These fines could have been avoided if the organizations had implemented the proper access controls to protect PHI data. Because privileged users have the highest levels of access within an organization, they are also the most “at-risk” for compromise.

For healthcare organizations that need to reduce their exposure to a data breach, CA’s privileged access management solution provides a unique approach that can not only detect and prevent unauthorized access to privileged accounts, but also  provides multi-factor credentials, full lifecycle management and governance of privileged identities. Our appliance-based solution installs quickly and offers unparalleled performance and scalability – and the lowest total cost of ownership in the industry. CA Privileged Access Manager continuously analyzes the activity of individual users, accurately detects malicious and high-risk activities and automatically triggers defensive controls like blocking, step up authentication, and session recording to dramatically limit the possibility of a data breach, so you and your customers can sleep better at night.

This article was written by Sophia Laughlin, a former Security Product Marketing Intern at CA Technologies, A Broadcom Company. She is currently studying information analytics at the University of Colorado Boulder, and enjoys both learning and writing about current cybersecurity trends.

About the author