4 Ways HIPAA Protects Healthcare Data From Ransomware Threats

This year is an unprecedented one for cyber security, especially in healthcare. Earlier this month, a type ransomware dubbed WannaCry – malicious software that holds your data hostage for $300 in bitcoins, and deletes or publicly releases your files if you don’t pay – hit nearly 250,000 systems across the globe.

It hit healthcare hard. So hard that 16 hospitals in the U.K. couldn’t access medical health records or test results. This compromised care and put patients’ lives in real danger. Many hospitals had to turn away non-urgent patients and emergency departments began diverting ambulances elsewhere. 

In less than 24 hours, a significant portion of Britain’s healthcare system was effectively shut down by a known cyber threat. Although initial reports from the U.K’s National Health Service claim no patient data was compromised, this cyber attack shows while technology is critical in maintaining patient care and safety, it’s very fragile and is also going to get worse.

Experts are anticipating more ransomware attacks in the coming months, which should come as no surprise as cyber crime is a lucrative business. A report from Accenture found cyber attacks will cost providers more than $305 billion in cumulative lifetime revenue between 2015 to 2019. It’s estimated 1 in 13 patients will have their most sensitive medical and personal information stolen from attacks on healthcare organizations. 

How HIPAA Protects Patients, Hospitals, and Providers

In the U.S., healthcare organizations are regulated by the Health Insurance Portability and Accountability Act (HIPAA), whose data security rules are among the lesser-talked about topics. If followed properly, HIPAA’s rules protect patient data against malicious software like WannaCry. Some of those security rules are:  

  • You must have a way to protect against malicious software. This usually comes in the form of an anti-virus. Most anti-virus software has been able to detect and prevent WannaCry since early April, which would stop the attack and protect patient data.
  • You must make sure that all of your systems are up-to-date. Especially operating systems such as Windows. Microsoft released an update in March to protect against the WannaCry malware, so even if you didn’t have an anti-virus installed, updating would have protected your systems and patient data.
  • You must have a plan for responding to security incidents. If a malware attack does strike your systems, you have people and processes in place to prevent it from spreading and protect patient data.
  • You must perform a risk analysis on all critical systems. This allows you to catch and fix risks within your systems. In the event that you can’t update or install an anti-virus on some systems, a thorough risk analysis would allow IT staff to identify and isolate those at-risk systems to prevent further infection in the event of a cyber attack like WannaCry.

The WannaCry malware attack seriously impacted about 20% of the U.K.’s National Health Service. In the U.S., the attack had almost no impact. The only known disturbance in the U.S. is that two Bayer devices were infected and patient data will not be compromised. A Bayer spokesperson told Forbes, “Operations at both sites were restored within 24 hours.”

Because of HIPAA’s information security rules, healthcare providers and hospitals in compliance were protected. Maintaining HIPAA compliance is critical because it works. It protects patients.

Patient-Reported Outcomes and HIPAA

Here at CODE, as leaders in patient-reported outcomes (PROs), we collect and protect a lot of patient data. While HIPAA rules provide guidance for basic information security, securing patient-reported outcome data demands more than just the basics.

In addition to strictly maintaining HIPAA compliance, CODE turns HIPAA data security rules up a notch to stay ahead of emerging security threats. Our growing team of in-house security engineers design sophisticated tools and systems to stay steps ahead of modern cyber security threats and attackers.

All of our systems used to collect and store patient data are hardened to the core. Our engineers perform security research on the software we use so that we find and fix vulnerabilities before adversaries do.

To stay proactive, we do weekly, company-wide security and HIPAA updates where we discuss current threats and evolving technologies. If that wasn’t enough, we perform “red team” tests, where our security experts imitate a real cyber attack. This way, we can find holes and fill them before a real attacker can use them. 

Why Hackers Want Medical Data

You hear about massive data breaches involving credit card information almost every day. Healthcare data is worth much more given its sensitivity and very long shelf life. After all, if your credit card information is stolen you can just cancel the card, but you can’t simply make a call to the government and change your social security number. In fact, a 2014 Reuters report claims an individual’s healthcare data can earn hackers up to 20 times more. It also allows for medical identity theft, phony insurance claims, or fraudulent pharmaceutical and medical equipment orders.

The importance of protecting patients and their healthcare data is clear. HIPAA provides a good starting place to do just that. With the recent WannaCry attack devastating Britain’s healthcare system, we see how HIPAA rules can protect patients and healthcare organizations.

About CODE

At CODE Technology, we believe patient-reported outcome (PRO) data will change medicine for the better. The only problem is that the process is tedious. That’s why CODE offers PRO data collection and reporting as a service. We handle everything for you – from survey administration to full data reports. We have an 80-90% capture rate across all intervals, offer robust reporting and benchmarking, and even offer dedicated support from humans, not robots. Click here to see how our data collection tools can work for you.

About the Author

Luka Trbojevic

Luka Trbojevic

Luka is CODE Technology's Information & Security Compliance Officer, a security and privacy advocate, engineer, and researcher who drives security innovation to protect hard-working people in a real way.

luka@codetechnology.com