Stemming the Tide of Cybercrime: Protect your Patients’ PHI

Human beings are not designed to handle large numbers. If someone owes you $100, but they only pay you $1, you would rightly be upset. However when considering two people who are worth $1billion and $2billion dollars respectively, most people would consider them to be of similar wealth, when in fact one is vastly wealthier than the other.

Maybe this is why the PHI data breach statistics that the HHS make public on their website don’t make big news.

They should. Last year (2015) 111,818,172 patients and healthcare individuals had their data exposed by the hacking of US companies working in the Healthcare industry.

This year alone, in the four months from January to April, the PHI data of 2,352,180 patients has already been hacked.

The numbers are staggering.

In practical terms, data breaches from US companies impact more people annually than the population of Germany.

But it gets worse. Not content with stealing data, attackers are now turning their attention to the booming business of Ransomware, where the PHI data is encrypted by the attacker, who then demands payment in return for the key to unencrypt the data. Some attacks make the news, but most don’t.

And it’s not that the attackers are getting smarter. The 2016 Verizon Report published last week reiterated that the same 10 vulnerabilities accounted for 85% of exploit attacks, with some vulnerabilities being older than the attackers who have been found to be exploiting them.

In an effort to encourage companies to find ways to close the floodgates themselves, last month the OCR initiated a new, stricter, set of HIPAA audit protocols and have been increasing the number of multimillion dollar fines levied as a result of data breaches. Time will tell if this makes a difference.

So how do you ensure that the PHI you’re holding remains private?

There are two simple things you can do right now:

Ensure there is a Business Associate Agreement in place with any supplier or business partner that will potentially handle PHI. There is guidance on this from the HSS website, however it is also important to get your legal team involved before any agreement is signed.

Put in place an SOP for regular security risk assessments of your systems. There is a free tool provided by HSS, but you will always gain more from an assessment performed by a qualified security expert. Ensure that the results are reviewed by your Senior Management Team. Put a plan in place to implement any critical recommendations and ensure someone owns that plan.

If enough organisations followed these two simple steps, maybe the breach numbers would reduce enough for us to get our heads around them.

Dr Matthew Lakelin

Dr Matthew Lakelin is a co-founder of TrakCel. Using his knowledge in handling and distribution of CGTs he has assisted with the development of the technology platform and is passionate about democratising advanced therapies. Matthew is one of TrakCel’s industry experts who is tasked with insuring projects are delivered on time and in budget.

Matthew holds a PhD in Pharmacology and has over 20 years’ experience working in the pharmaceutical and biotechnology industry. Matthew has led the deployment of TrakCel’s software to a wide range of advanced therapies (including CAR-T, TILs, personalised immunotherapies, neoantigen cancer vaccines) and in his role as Head of Consultancy Services is a key spokesperson and responsible for ensuring that TrakCel solutions continue to evolve to meet industry needs.

More by Dr Matthew Lakelin

Tour our tomorrow, today