Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:Definitions of privacy, confidentiality, and security
Slide content:Patient Information Disclosures Health care cybersecurity attacks over the past five years have increased 125% as the industry has become an easy target; personal health information is 50 times more valuable than financial information on the black market (Kutscher, 2016) Portland, Oregon, thieves broke into a car with back-up disks and tapes containing records of 365,000 patients (Rojas-Burke, 2006) Several episodes from Virginia, including a laptop with data of more than 1 million veterans, recovered without apparent access (Lee & Goldfarb, 2006) Hack of Indianapolis-based payer Anthems IT systems exposed personal data of approximately 80 million customers ( Perma , 2015) Improper disclosure of research participants PHI results in $3.9 million HIPAA settlement (U.S. Dept. of Health and Human Services [HHS], 2016b) Hospital pays hackers $17,000 to unlock EHRs frozen in ransomware attack (Conn, 2016) 9
Slide notes:It is important to know about patient information disclosure and how to prevent it from happening in the future. Disclosures occur due to a variety of reasons, including mobile devices or data storage media that is lost or stolen, as well as cybersecurity attacks on an organizations technology infrastructure. Not all cybersecurity attacks result in patient information disclosure, but any threat of an actual attack or breach places the organization at high risk. Also, hackers may not reveal they have stolen the information until long after the event. Health care providers are a prime target for cyberattacks due in part to the value of PHI on the black market. Anyone can be subject to a breach, including health care providers, vendors, insurance companies, patients, and consumers. The increasing use of mobile devices such as smart phones, tablets, and laptops poses unique issues with the effort of protecting both physical and data assets. Any device that connects to a network is vulnerable, including medical devices. Also, implantable devices such as pacemakers are prone to hackers. This slide provides just a sampling of the many types of events that can result in disclosure of PHI. These examples range from 2005 to 2016, which demonstrates this is not a recent issue. One particularly egregious [ ih- gree -juhs ] story happened in Portland, Oregon, on New Years Eve 2005. An individual left in his car disks, backup tapes, and other media that contained records of about 365,000 patients who were seen by a visiting nurse association. This indiscretion naturally received a lot of press and demonstrated the need to be careful if one manages devices with PHI. This type of event has continued to occur over the years regardless of the amount of press. The Veterans Administration system has had a number of episodes, probably the largest of which was when a laptop with the data of over a million veterans was stolen. The laptop was recovered, and it appeared that the data was not accessed, but of course, no one knows exactly what went on with the machine when it was in the hands of those who stole it. Improper disclosure of research participants PHI resulted in a HIPAA settlement in 2016. Anthem, a large insurance payer organization, was hacked, exposing over 80 million customers PHI. Over the past several years, many health care providers have had their clinical and operational software systems and networks frozen until some type of ransom was paid. These events do not necessarily expose PHI, but they demonstrate the organizations vulnerability and place their PHI at high risk. Again, these are only a few of the many examples of breaches, attacks, and loss of PHI impacting health care organizations, providers, and their patients. 9