Data breaches are on the rise across the health care industry at large, with the number of cyber attacks targeting health data reaching record highs in 2018. And due to the mobile nature of home health care, the sector is especially vulnerable to attacks.
In 2018, there were 365 health care data breaches of 500 or more records reported, according to data from the Department of Health and Human Services’ Office for Civil Rights published in the HIPAA Journal.
That’s up 83% from 2010, when there were 199 breaches of 500 or more records reported, the same data shows.
“The attempts are constant,” Lisa Rivera — health care-focused attorney at legal firm Bass, Berry & Sims — told Home Health Care News. “They are never-ending.”
A large reason for the spike comes down to the technological advancements being implemented to improve health care. For example, while moving patient records to a digital platform can make care more seamless and efficient, it also makes data easier to steal than if the files were locked in a file cabinet in a secure room.
“If you were to speak with an IT department at a large health care system who is constantly monitoring what’s happening in their firewall, they’ll tell you there are thousands of attempts a day to get entrance into their system,” Rivera said. “It’s just not something that’s going away.”
In fact, as more and more health care providers jump on board with the idea of population health — which some home health leaders have called the future — the trend will only compound, as more data is shared between providers and available in more places.
Beyond home-based care providers’ desire to lean into population health, they face another overwhelming challenge: Workers often use smartphones, tablets and laptops to log and send patient data remotely.
“The work site is mobile,” Rivera said. “Plus, they’re in cars, so that information is on the move from patient to patient and back home. Many times, [aides] work in rural areas, so it may be days before they come back to the office.”
The mobile nature of the work presents two main problems on top of those all health care providers deal with, Rivera said.
First, caregivers and aides routinely use networked devices to do their work, which can be vulnerable to attack, especially if used improperly.
For example, according to the HIPAA Journal, more than 90% of cyber attacks come from phishing emails.
On top of that, workers may have physical documents or X-rays in their possession for long periods before they can deliver them where they need to go. During this time, those documents have more opportunity to be lost or stolen.
“A home health worker may have that in their possession for days until they can make it back safely to their home office,” Rivera said.
Health data is among the most valuable information hackers can obtain because unlike credit card numbers, health information can’t easily be changed and includes patients’ social security numbers, addresses, birth dates and medical history.
That makes protecting the data all the more important, which Rivera says comes down to planning, on top of the obvious.
“It helps when providers issue the cell phones, tablets and laptops employees use,” Rivera said. “That on top of added security like multi-layer authentication, strong password requirements and encryptions.”
In one of the more noteworthy home health hacks to occur in the past few years, as many as 80,000 patients in Canada reportedly had detailed medical, financial and personal records stolen by a hacker group in July 2018 after it infiltrated the computer systems of provider CarePartners.
To further protect patient information, Rivera recommends agencies have plans and procedures in place to ensure data exists only when and where it needs to be. Then, workers should be trained and tested routinely to ensure compliance.
“Assuming they have that plan in place and they execute it correctly, all employees should know exactly who to call when they have a concern about … a potential breach,” she said.