HIPAA Can’t Protect Medical Data Privacy from Hackers

The American healthcare industry is one of those most sensitive to the challenges and imperatives of data privacy.  Nowhere is discretion and privacy more relevant than in the protection of every American’s deepest, most personal medical history.  It is for this reason that the data collection and sharing practices of the healthcare industry are regulated to an extent not seen in most any other field.  It was back in 1996, recognizing the highly sensitive nature of medical data privacy, that Congress, working with the US Department of Health and Human Services (HHS) passed the Health Insurance Portability and Accountability Act or ‘HIPAA’ as it has come to be referred to. 

HIPAA is a sterling example of how legislation can be harnessed to effectively protect the data privacy of individuals.  And yet, despite the existence of this mature regulatory framework, healthcare companies of all sizes – from the largest health insurance carrier organizations to the smallest private medical office/practices – are routinely breached by hackers and threat actors. Medical data privacy is under constant siege.   As shown in this graphic from the HPIAA Journal, breaches of private medical data records have been increasing year over year – spiking in 2023 but still on an overall upward vector in 2024.

Over the past 12 months more than 100 million individuals’ medical data privacy has been violated due to data breaches of supposedly secure systems.  An average of 9,989,000 per month according to HIPAA Journal’s August 2024 Healthcare Data Breach Report. 

Clearly, the Healthcare industry is a favorite target of threat actors.  And they continue to be very successful in circumventing the toughest cyber security measures available to the healthcare industry.  This is notable given the exceptional emphasis this industry places upon discretion, personal privacy and data security.

Unlike so many other industries suffering from routine data breaches, the healthcare industry is governed by a robust set of regulations included in HIPAA, complete with detailed requirements for responding to incidences of data theft and systems breach. There are established protocols for what physician’s offices and healthcare service providers must do when it becomes apparent that protected data has been compromised. 

This paper shines a light on the vulnerability of the healthcare industry when it comes to data privacy and the omnipresent threat of breach.  It will detail the specific HIPAA requirements for privacy and breach prevention. Then it will examine the time-consuming and costly process of compliance with HIPAA in the wake of a breach and demonstrate how a proactive external data privacy management program prevents the cost and inconvenience of dealing with breaches by preventing them in the first place.

Why Hackers Love Healthcare & Target Medical Data Privacy

All personally identifiable information (PII) is attractive to hackers.  Different hackers employ different strategies and tactics to generate their ill-gotten gains.  Some extort victims for the safe return of stolen data using ransomware attacks.  Others breach data systems to steal PII and PHI they can sell and resell on the dark web.  Still others steal this data to use in identity theft schemes, extracting their “earnings” by opening bogus credit accounts or by using the stolen data to access and drain victim’s bank accounts.

These kinds of criminal practices are, of course, routinely applied to data stolen from every kind of organization.  However, Healthcare industry data is particularly attractive to the bad guys for a number of reasons.

Vulnerable and Highly Valuable Personal Data

Cyber criminals continue to target healthcare organizations because their data is incredibly valuable. For these malicious actors, it’s not personal; it’s simply that healthcare information can yield higher profits than other forms of stolen PII. Sensitive details like Social Security numbers, dates of birth, diagnoses, and insurance and billing information are crucial for patients and the entire healthcare system, making healthcare data far more lucrative than standard personal identifiable information (PII).

This data can be exploited for various criminal activities, including:

• Ordering or modifying prescriptions and costly, durable medical equipment for illicit resale
• Securing insurance payouts for expensive treatments and redirecting them to illicit accounts
• Creating synthetic identities for repeated fraudulent activities
• Gaining unauthorized access across multiple security systems (feeding new breaches elsewhere)
• Submitting fraudulent medical claims for insurance reimbursements
• Accessing bank accounts, credit card details, and other financial information

Put simply, PHI always involves very comprehensive data sets and these are of the highest value on the black market. 

The Need for Speed

Very few industries manage as much highly personal data as healthcare. Access to each patient’s records is essential not just for doctors, but also for nurses, insurance companies, pharmacists, and other healthcare professionals who work together to deliver optimal care. In emergencies, swift action can be crucial, leaving no time for doctors to deal with complex passwords or multi-factor authentication.

The fact is, healthcare providers are trained to recognize disease, symptomology, pathologies, etc.  They spend countless hours studying, learning and developing cures and treatments for a broad array of complicated ailments.  This doesn’t leave lots of time or bandwidth for studying the evolving environment of cyber threats, malware attacks, social engineering methods or the growth of the new Social Engineering Attack Surface.  Yet, as is the case with every other industry, Social Engineering attacks – phishing, spear phishing, smishing, vishing, business email compromise and other variants – are the predominant attack vector for the current epidemic of data breaches.  Defending against social engineering attacks requires different tactics than protecting the physical attack surface or the digital attack surface.  [Learn all about the Social Engineering Attack Surface in this Privacy Bee White Paper]

For Healthcare industry workers doing extremely complex work with literal life-and-death consequences, adding an additional set of detailed protocols and practices for how to handle medical data privacy is another virtual workload.  One too consequential to heap onto the shoulders of busy healthcare industry employees – and one that is mostly regarded as a tertiary consideration in spite of its importance.

The Complexity of Third-Party Vendor Networks in Healthcare

If there’s one predominant and defining characteristic of the American healthcare system – particularly when compared to its counterparts abroad – it is its complexity and overly complicated nature.  Unlike the single payer programs embraced by virtually every other developed nation on earth, America’s system is not administered by and managed from a single, centralized government agency. 

The private sector insurance industry in America relies on an enormous patchwork of unrelated, for-profit hospitals, healthcare provider chains, private medical practices large and small, and competing pharmacy companies.  Add to this marketplace a growing, multi-billion dollar, for-profit, private insurance industry which acts as a middle-man.  The health insurance companies process payments from patients to their chosen providers using an even broader array of private medical billing and coding companies to process medical charges and ensure each patient’s specific insurance plan pays the proper percentage of the medical costs incurred to the healthcare provider.

According to a 2022 annual industry report from the National Association of Insurance Commissioners (NAIC), the number of private health insurance companies has grown, year over year, for a decade and shows no signs of slowing. 

Industry research site, IBISWorld.com reported in 2023 that there were 1,395 medical billing services businesses in the US. 

This sprawling system – patients each with their own private insurance carrier and insurance coverage levels, healthcare providers at clinics, hospitals, healthcare groups, using thousands of different medical billing/coding providers (or managing this process internally), interfacing with thousands more insurance carriers – represents a vast attack surface for threat actors.

Add to the challenge the fact that most Americans have multiple doctors and providers.  This means that everyone’s medical data, PII and PHI is routinely involved in transactions traversing integrated information systems both in the cloud and across secured internal networks.   

So even if the medical data privacy and overall data management processes of a particular hospital, doctor’s office, medical group, insurance company, billing and coding firm or other link in the healthcare chain are robust, they’re really only as strong as the weakest third-party vendor involved in the delivery and billing for medical care.   This is to say, that the entire industry is woefully vulnerable to medical data privacy breaches.  The numbers of breaches – sometimes occurring daily – support this conclusion.

Healthcare Organizations Don’t Invest Enough in Technology

The SANS Institute, a cooperative for information security thought leadership, recommends any organization invest at least ten percent of its IT budget on cybersecurity training and certifications.  However, according to an article titled, “Why Hackers Love Healthcare” from the Dark Reading cybersecurity forum, most healthcare organizations allocate a paltry three percent of their budgets accordingly.  This seems like a significant failure before one realizes that even allocating 50 percent of the IT budget to training and certifications will not lower the risk of breach as effectively as spending the existing 3% (or less) of an IT budget on solutions focused on minimizing the unsecured external data of an organization’s workforce and vendor partner work forces.

How does addressing the unsecured external data of an organization’s workforce and vendor partners differ from focus on hardening protection of customer data in secured systems?  Read Privacy Bee for Business white paper “External Data Security and Vendor Risk” for insight.

Having defined the scale and scope of the challenges facing the Healthcare industry, it is then useful to examine how the existing laws and regulations of HIPAA address breach prevention and requirements for handling the aftermath of breaches wherein medical data privacy has been compromised.  

Current Prevention Models and Post Breach HIPAA Compliance Requirements

Prevention

Contemporary prescriptions for preventing medical data privacy breaches are mostly what medical researchers would describe as placebos.  The Health and Human Services Cybersecurity Program offered the following strictures in a recent presentation aimed at fostering best practices for preventing breaches. 

The guidance reads like an industry standard list of tactics and strategies for ensuring data systems are secured.  Multi-factor authentication, email filtration, employee awareness trainings, anti-virus scans, whitelisting, endpoint protection, etc.  These are all tools in the contemporary playbook for information security and cyber security. 

These steps and standards are largely in line with what most organizations recommend.  And predictably, these methods are inadequate for the challenge.  As we can surmise given that this guidance was issued in 2021 and today, in 2024, breaches of medical data privacy continue to grow in size, scope and consequence. 

The reality of the matter is that these strategies and tactics – while effective individually at guarding the physical security and cyber security of a healthcare organization – do not offer any protection from exploitation of unsecured external data.

Definition: Unsecured External Data:
Unlike customer data an organization works to protect within its internal information systems, EXTERNAL data refers to the personally identifiable information of organizations’ employees and vendor employees.  This unsecured employee PII is used by threat actors to generate highly effective and contextually relevant social engineering attacks designed explicitly to sidestep physical, digital and cyber security measures.

This graphical representation (taken from Privacy Bee white paper, “Cyber Security Isn’t Enough”) illustrates the totality of what must be accomplished to achieve strong functional security for any business or organization.  Legacy strategies, already widely adopted by most organizations include hardened physical security protocols.  This is the innermost, lightest blue circle in the graphic.  Password protection on workstations and business machines, governance policies restricting the use of portable and external media/hardware, physical plant security like key card access to office locations, surveillance cameras and other such policies are widely used.

Beyond the physical security measures, most companies already employ strategies for protecting cyber security in the cloud and online.  This is represented by the darker blue, middle circle in the graphic.  Common cyber security best practices include hardening endpoint security, data encryption, password protocols, vendor risk management (VRM), identity access management (IAM) firewalls, spam filters, antivirus scans and employee cyber security trainings.  

Where contemporary practices begin to fail is in the outermost, darkest blue circle in this graphic.  This is the area Privacy Bee refers to as “External Data Privacy” or EDP.  Physical security and cyber security measures are, by definition, inwardly focused.  That is, these strategies are designed to keep prying eyes from accessing data that is behind the walls of the fortress.  Yet, the vast majority of today’s data breaches aren’t the result of bad actors successfully penetrating these defenses via brute force attacks.  Rather, social engineering has become the primary attack vector resulting in data breaches and the catastrophic consequences that typically follow.  And these attacks are planned and enabled using the extraordinary volume of unsecured personal data about every worker in every organization, available for sale – and in many cases, even for free – on the internet.  

Whether from Data Brokers, People Search Sites, public records, unrestricted social media accounts or even illicit data stolen in prior breaches and available on the dark web, there is a nearly unlimited volume of unsecured external data on every individual working in every Healthcare industry role.  This data is readily available and used by threat actors to perpetrate social engineering attacks against super high value targets in the healthcare space.

Post Breach HIPAA Compliance

Summary of HIPAA Privacy Rule

The HHS provides the following definition. “The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.”

The “covered entities” referenced in the rule include:

• Health Plans
• Health Care Providers
• Health Care Clearinghouses
• Business Associates (3^rd party vendors involved in:)
  • Claims processing
  
  
  • Data analysis
  
  
  • Billing/coding
  
  
  • Legal
  
  
  • Actuarial
  
  
  • Accounting
  
  
  • Consulting
• Associated Business Contractors

It is worth noting that there is significant detail provided by way of defining the permitted uses and disclosures of PHI data.  However, all of the definitions and rules regarding usage and so forth are immaterial to a criminal.  They are certainly not likely to be observed in any unauthorized exfiltration. 

The proof of this vexing reality can be found by visiting the Office for Civil Rights at the US Department of Health and Human Services.  As required by the HITECH Act of 2009 (a companion in many ways to HIPAA), the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.  Visit the “Breach Portal” of the Office for Civil Rights at the HHS for a cursory review of the breaches meeting this threshold – just in the last 24 months!  It is a staggering list of 878 open cases as of the writing of this paper in late 2024.

Despite the detailed privacy rules of HIPAA, the breaches are endemic.  Here’s what the law provides in the wake of a breach.

Summary of HIPAA Breach Notification Rule

There is a slim difference between the legal requirements of HIPAA in the wake of a data breach and the standard operating procedure for most other types of organizations.  That is, HIPAA mandates a so-called “Breach Notification Rule”. 

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.                                                                                         

This is to say that, in the wake of a detected and unauthorized intrusion or exfiltration event, the breached Healthcare organization must report the incident to anyone whose data may have been involved in the incident.  If it sounds like the same sort of response one might expect in the wake of a data breach affecting an organization outside of the healthcare field, that’s because it is. 

Organizations in non-regulated industries have every incentive to report breaches to their customers/users who are swept up in a data breach.  Seeking to avoid civil or class action litigation is one such motivator.  Protection of reputation is another as reporting to the media the offering of identity monitoring services of questionable utility is another motivator.   

For Healthcare industry organizations, the duty to notify is encoded in the HIPAA law.  There are enforcement mechanisms to ensure that breaches are indeed reported and those victimized are properly notified.  Though this would likely occur as regularly without the legal requirement as it currently does in other industries.  The HIPAA Enforcement Rule – PDF contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

Healthcare industry CISOs and CIOs could spend time reading the enforcement rule.  Or, they could do something far more effective and embark on a campaign to render all the guidance, rules, definitions and compliance strictures mostly irrelevant.  The could instead focus on implementing a proven methodology for dramatically reducing the unsecured external data of their workforce and that of their third-party vendors’ work forces.  In this way, dramatically reducing the size of their Social Engineering Attack Surface and overall risk of falling victim to threat actors.

Reducing Healthcare Organizations Risk Profile and Ensuring Compliance with HIPAA?

Ultimately, lowering the profile of any organization in the eyes of threat actors requires a concerted and ongoing campaign aimed at reducing the un-managed exposures of the organizations’ workforce everywhere on the internet.  Privacy Bee for Business offers the only completely comprehensive solution platform to identify, eliminate and maintain acceptable external data privacy risks on an ongoing basis. 

What follows are the first or primary steps in the overall process.  New customers of Privacy Bee for Business undergo the following steps which are applied to all employees with any information systems access in any quarter of the enterprise.  The same processes are equally deployed for all employees of third-party vendors or contractors with any systems access or integrations.

100% Free Privacy Threat Monitoring and External Privacy Data Audits are the best place to begin to identify where unsecured data for all your employees may exist all over the internet.

For consumer customers, the Privacy Bee solution performs continuous monitoring to scan the net for any public exposures of the customer’s personal data and informs of any exposures so that mitigation steps can be quickly undertaken.  For the Business customer, Privacy Bee’s External Privacy Data Audit provides in-depth reporting on external exposures and their cost on a company’s productivity. Turning those stats into figures, the financial risk assessment provides a conservative estimate of the estimated cost these external exposures have.  The platform provides full employee privacy audits, covering how many employees have been exposed, what type of exposures they’ve had, and the source of the exposure.  The tool sets detect recent critical vulnerabilities and target where to start cleaning up employee data.

The Privacy Risk Assessment (PRA), also 100% free, is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any unmitigated risk and opportunities for improvement. Once completed, the answers help derive your organization’s Privacy Risk Score.

Once these audits and assessments have identified where the unsecured data lives, it is time to embark on an ongoing campaign to remove it.

Data Broker Removal services from Privacy Bee mobilize an army of “worker bees” to continuously issue, manage and reissue DSARs to all identified unsecured data. Privacy Bee manages the requests, correspondence and ongoing steps needed to erase customer data from the more than 350 data broker and People Search Sites in the US.  This labor-intensive process is handled by the Privacy Bee solution, so users are not burdened with the administrative burden.  Privacy Bee boasts the industry’s highest removal success rating.  

Privacy Preference Management on the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited.  Then enabling the user to allow trusted sites to collect their data while barring distrusted sites from doing so.  For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company.   The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.

Vendor Risk Management is crucial to protecting the internal workforce as well because all best efforts can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy.  If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella.  Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections. 

Reach out today to learn how to license Privacy Bee to protect your organization from the threats associated with unsecured external data.