1.) EMR held ransom (We also discussed another EMR ransom case here)
In the Lake County case, an unauthorized remote user posted a message on the practice’s server stating that its contents had been encrypted and could only be accessed with a password. The hackers would give the surgeons the password … in exchange for a ransom. (The docs did not pay–instead they turned off the server and called the police).
2.) Blatant Social media HIPAA breaches
Students at Stanford University setup secret identities so they can post information about patients on Facebook and other social media sites
Evidently he and other medical students were creating secret identities to bypass HIPAA,” Hirsch wrote. “None of these kids should be in medical school.
In a related story, an employee at Providence Holy Cross Medical Center in California, posted a picture of a patient chart and details the patient’s medical issues
…posted a picture of a patient’s medical record on his Facebook account, saying it was “funny” that the patient “came in to cure her VD and get birth control.” When commenters protested, he responded, “People, it’s just Facebook. … It’s just a name out of millions and millions of names. If some people can’t appreciate my humor, then tough. And if you don’t like it, too bad because it’s my wall, and I’ll post what I want to.”
3.) Malware affecting medical devices
The Veteran’s Administration reported 173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs.
In this case, old operating systems are often to blame–it’s a matter of keeping virus software up-to-date and hospitals are working with vendors to fix that threat. But it’s not always possible to patch old systems, which means a big bill to fix this problem will inevitably be coming due.
4.) Hackers could sabotage implanted medical devices
The last breach didn’t actually happen but as more and more medical devices (implanted defibrillators, insulin pumps, pacemakers, etc.) are made with built in wireless controls, the threat of hackers accessing them are very real.
The threat to implantable medical devices has grown as the devices increasingly go wireless, according to a GAO report. In 2012, information security researchers showed they could successfully manipulate two types of devices.
The idea that a hacker with a laptop could deliver a fatal, 830-volt shock to a pacemaker patient from 50 feet away? Even though no such cases have been reported, that’s some serious freak-out level information.
The take away from Shaw’s article is that all types of security breaches can happen. Healthcare organizations have to worry about common causes of breaches such as lost laptops and smartphones but also have to worry about uncommon breaches. The list of potential causes of data breaches grows larger and larger every day.
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information. Download our free guide to better understand the HIPAA Risk Assessment process.