When considering our online privacy and security, we often hold our financial records, bank accounts, and credit card numbers in the highest regard. After all, if a hacker gets this information, they have ‘the keys to the kingdom', right? It might be surprising to learn that the black market value of this data is actually surprisingly low.
The going rate for your social security number is about a dollar. Your credit card number is worth five dollars. A complete medical record, on the other hand, can sell for more than $1,000 on the Dark Web.
Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information.
The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit.
If you are a healthcare provider that accepts Medicare, then you have likely seen and heard the acronyms MACRA, MIPS, and EHR hundreds of times in 2017.
You may have chosen to attest to MIPS for the entire calendar year, or perhaps you are gearing up to begin reporting in the final 90 days of 2017. You also may have chosen to begin reporting in 2018. Whichever path you have selected, are you aware that before medical practices participate in MIPS they must prove that patient health information contained in EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA)?
On January 6, 2017 the California Department of Insurance released the examination findings and settlement agreement concerning the breach of health insurance giant, Anthem Inc., which compromised 78.8 million consumers’ records. Investigators concluded with a “significant degree of confidence” that the cyber attacker was acting on behalf of a foreign government. They did not identify the government.
On November 28th, 2016 Quest Diagnostics failed to secure the Protected Health Information (PHI) of 34,000 patients from unidentified threat actors. An “unauthorized third party” accessed patient data including their lab results, name, date of birth, and telephone numbers. According to a press release from Quest Diagnostics, the stolen information does not include Social Security Numbers, or credit card information. Hackers were able to steal the data through an insecure web application named MyQuest by Care360. Patients are able to store and share electronic health records through the app. The MyQuest app is available online and to both Android and iPhone users.