HIPAA’s HITECH Act and the Omnibus Rule were enacted to prevent data breaches in healthcare; however, cyber-attacks against healthcare providers continue to rise.
On March 26, 2013, HHS enacted a final Omnibus Rule to implement several provisions of HIPAA’s HITECH Act. HHS made these provisions to strengthen data security on electronic Protected Health Information (ePHI).
Since its enactment in 1996, several provisions have been incorporated into the original Health Information Profitability and Accountability Act (HIPAA), one of which is the Health Information Technology for Economic and Clinical Health Act (HITECH).
In 2009, HHS enacted the American Recovery and Reinvestment Act, which includes the HITECH Act. The U.S. Department of Health and Human Services (HHS) audits HIPAA-covered entities to ensure compliance.
Related Article: The Security Risks in Social Media: Interview with Joseph Steinberg
Health Care Industry Breaches Among the Top Seven Cyberattacks for 2015
For 2015, three of the top seven cyber attacks affected the health care industry.
The Anthem breach ranks as number one. These breaches reiterate the importance of implementing and abiding by HIPAA's Security Rules.
Why Are Healthcare Data Breaches on the Rise?
Angela Griffo is the vice president of 10Fold’s security practice. In a statement to the press, Griffo says that 10Fold’s research finds that cyber-criminals are choosing to target the health care industry more often.
PHI attained through a data breach provides cyber-criminals with valuable information that cannot be changed.
While credit cards can be canceled and reissued, birth dates and social security numbers cannot.
What do Attackers Do with the Information They Obtain?
Patient and employee information that is stolen during a health care security breach may be used to commit:
- identity theft
- insurance fraud
- targeted attacks
The attackers may sell this information online or use the information themselves. If a hacker attains a patient’s record and adds false information to it, the risk of a medical complication increases.
February 2016 Report: Know Your Enemies 2.0
This Feb 2016 report from the Institute for Critical Infrastructure Technology states that currently, healthcare providers are the main target for cyber attackers.
Providers are vulnerable because they focus on saving lives. Healthcare payers concentrate on processing transactions to ensure that patients remain well and health care providers can continue treating patients.
Cyber attackers view this dedication as a weakness.
Categorizing Cyber Attackers
Cyber attackers are categorized according to who they target, what tactics they use and which techniques they employ.
1. The Hacktivist
A hacktivist is politically motivated and targets institutions that have opposing political beliefs.
Generally, a hacktivist attacks using a denial-of-service (DDOS) service method. This technique overloads the server until it finally crashes.
When a hacktivist targets a health care provider, he or she is looking to attain specific information about intellectual property, patient data or to embarrass the establishment.
2. The Cybercriminal
A cyber criminal is a conventional attacker who targets an institution. Once the data is obtained, the cyber criminal demands money in return for not disclosing the compromised data.
Malware and Ransomware are the methods cyber criminals use to hold data hostage until the establishment or individual who owns the data pays the demanded ransom amount.
According to the report, this type of data breach will be the main threat to organizations in 2016: In particular, a threat to mission critical assets and mHealth wearable devices.
3. Nation State Actors
Nation State Actors sponsors threat groups launching attacks against a foreign government and/or an organization. This group relies on malware that is customized to each target.
This malware frequently contains rootkits. These rootkits provide attackers the means to maintain an insistent presence. The Nation State Actors target healthcare facilities to collect personal data and disrupt service.
4. Script Kiddies
Script Kiddies are not necessarily considered computer savvy attackers, as they are the least skilled when it comes to cyber-attacks.
These individuals obtain the tools they use (e.g. malware) from larger, more experienced attack groups.
The majority of the tools Script Kiddies use are automatic and meant to be used by computer-savvy individuals; therefore, Script Kiddies usually enter a health provider’s IT system through opportunistic means.
5. The Cyber-Terrorist
A cyber terrorist targets systems in an effort to disturb and sometimes terminate infrastructure. In addition, a cyber-terrorist may inhibit the critical services of a particular nation, organization or sector.
When a cyber-terrorist attacks the healthcare industry, the goal is to frame another smaller hacking group; thus, causing panic and turmoil.
Related Article: Internet of Things: Security, Compliance, Risks and Opportunities
HIPAA’s HITECH Act Compliance Checklist
Complying with the data security requirements set forth by HIPAA is essential for every health care provider, which is why a full understanding of HIPAA’s HITECH Act is vital.
To assist providers with the process of implementing these administrative, technical, and physical safeguards, HIPAA offers an online Compliance Checklist.