A new study reveals that network server breaches accounted for 75 percent of compromised patient information for the first half of 2015.
According to Department of Health and Human Services data compiled by attorney Hudson Harris, there have been nearly 124 million medical records compromised already this year. Here is the breakdown of how the breaches that occurred thus far in 2015:
|Means of data breach||# of patient records affected||Percentage of total|
The Office for Civil Rights (OCR) which tracks HIPAA violations allows for breaches to be classified as “other” when they do not fit the above attributions. This why the percentage sums do not add to 100.
As Harris also notes, these numbers are skewed heavily by mega-breaches incurred by Blue Cross Blue Shield (BCBS) earlier this year. This large scale network intrusion compromised 80 million patients, exposing personal information like names, social security numbers, and financial information like income. Even when Harris controlled those numbers, network server breaches still accounted for almost 69 percent of all compromised healthcare data.
Protecting network assets in a healthcare setting
Every practice should deploy means for protecting their network. There are a number of ways a medical practice can do that.
“Primary data servers with personally identifiable information (PII) data must be given maximum protection,” says George Anderson of Webroot. “Server antivirus and malware prevention, two-factor administrative access, encryption of data at rest, and tamper proofing of administrator settings—many of the problems occur with servers because the administrator credentials are compromised or access and data controls are not rigorous enough or alerted.”
Technical considerations for protecting your network servers
First and foremost, medical practices need to be running supported server software across their infrastructure. Now that Windows Server 2003 end of service has passed, this means Windows environments need to be administered with Windows Server 2008 or Windows Server 2012. Failing to do so will result in an automatic HIPAA violation, not to mention puts company data at risk since unsupported software is prone to attack. Learn more about Windows Server migration here.
A small practice might think that employing an SSID on a home router suffices for a secure network. Basically any amateur hacker can get around this to access medical information on networked assets. A business-grade firewall is essential for network protection in a healthcare setting.
There are several routes that a medical practice can take when selecting a firewall, mostly depending on the scale of the network. It is important to understand difference between Firewalls and UTMs in regards to features and pricing in order to choose the most appropriate network protection for your servers and data.
The way a healthcare practice positions its networked assets is also important. A model of network segmentation is advisable since it reduces data exposure while allowing effective rollout of software and security updates.
For a deeper dive, read more about the intersection of network server hardware and HIPAA compliance.
Set internal security policy guidelines
Since the law sets security standards in broad strokes, medical practices tend to implement security standards depending on the specific technology implemented in the practice. Experts say that bad habits and human error are to blame for many data breaches.
“Many of the problems occur with servers because the administrator credentials are compromised or access and data controls are not rigorous enough so unusual data transactions don’t get flagged,” says Webroot’s Anderson.
A medical practice should have a set list of specific procedures written down as they pertain to handling privacy and security policies. Pamela Lewis Dolan for Medical Economics has written a comprehensive article about putting in these types of policies in place.
It is advisable that staff is aware of what legitimate security threats look like. Training staff to be aware of security threats is tantamount to having the proper infrastructure in place. Learn more about ways to conduct anti-phishing training.
Supplement with software and extra authentication measures
Antivirus and antimalware solutions can provide critical alerts for potential threats to network data assets. Anderson recommends that healthcare providers install business-grade antivirus software onto their network. Experts suggest using antimalware in tandem with antivirus. Find out more about the proper way to layer antivirus software and minimize network latency.
Additionally, healthcare providers should look at additional authentication measures for accessing company servers. Anderson says that use of credit card-type proximity passes, as well as biometric authentication for system logon, are both worth considering. Here are some tips and tools for achieving two-factor authentication in order to make shared workstations more secure and less likely to be subject to a HIPAA violation.