Why Are Health Records so Valuable to Cybercriminals?

Protecting the data in electronic health records did not start with the advent of HIPAA -- the Health Insurance Portability and Accountability Act of 1996 -- as many people think. Protecting health records has been a critical requirement in the healthcare space since the computers became a fixture in hospitals. However, HIPAA added public reports of fines issued for covered entities' failure to properly protect data contained within EHRs.

Many people assume that EHR data has limited value to unauthorized users. (Who cares about my blood test results, or that I just visited my dermatologist?) Understanding their value is quite simple, though. In addition to personal health information, or PHI, EHRs contain Social Security numbers, which never expire -- and cybercriminal use of SSNs is not easily detected.

No Expiration Date

Stealing EHRs is better for cybercriminals than stealing credit cards, which can be used only until the card expires, is maxed out or canceled, according to a Trend Micro study released last month.

"...an EHR database containing PII that do not expire -- such as Social Security numbers -- can be used multiple times for malicious intent," the study explains. "Stolen EHR can be used to acquire prescription drugs, receive medical care, falsify insurance claims, file fraudulent tax returns, open credit accounts, obtain official government-issued documents such as passports [and] driver's licenses, and even create new identities."

Another important statistic that helps explain why cybercriminals are attracted to EHR data is that 91 percent of the U.S. population has health insurance. It's no wonder, then, that 113.2 million healthcare-related records were stolen in 2015, according to Trend Micro.

What About Federal Laws?

Everyone remembers signing dozens of documents before getting to see a doctor. If you were to read each document, you would find that you agreed to allow the protection of your personal health information. The U.S. Department of Health and Human Services is responsible for HIPAA oversight.

Under HIPAA, all covered entities must protect PHI in very specific ways. Healthcare providers that are covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies -- but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

There are thousands of covered entities out there, including solo doctors, psychologists, dentists, and chiropractors, all of whom have the duty to protect PHI -- but how do small practitioners who cannot properly afford the IT infrastructure protect PHI?

Small covered entities hire a company to help, which HIPAA refers to as a "business associate." Under HIPAA, each business associate must sign an agreement with the covered entity to protect PHI, aptly termed a "business associate agreement," or BAA.

Under the HIPAA Privacy Rule, a BAA "allows covered providers and health plans to disclose protected health information to these 'business associates' if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity's duties under the Privacy Rule."

The HHS offers a sample BAA that explains the business associate's potential liability under HIPAA:

"A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule."

Who Protects EHRs?

The HHS Office of Civil Rights (OCR) Investigates "civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems."

The OCR frequently reports covered entities that fail to protect PHI properly, and those entities are fined accordingly.

A number of states, including Texas, New York and Ohio, have created their own laws to protect PHI. Texas in 2011 passed House Bill 300, which "places stricter requirements on patient health privacy than those required by HIPAA and also expands the definition of covered entities to include those that come into possession of, obtain, assemble, collect, analyze, evaluate, store, or transmit protected health information."

Given their immense long-term value, cybercriminals likely will target PHI and EHR databases for years to come, so it is incumbent upon all covered entities and business associates to make the safety of this information a top priority, and do everything possible to protect their PHI and EHR databases. 

Peter Vogel has been an ECT News Network columnist since 2010. His focus is on technology and the law. Vogel is a partner at Gardere Wynne Sewell, and Chair of its Internet, eCommerce & Technology Team. He tries lawsuits and negotiates contracts dealing with IT and the Internet. Before practicing law, he received a master's in computer science and was a mainframe programmer. His blog covers IT and Internet topics. Email Peter.

Eric Levy has been an ECT News Network columnist since 2017. His focus is on compliance, privacy and data security. Levy is a senior attorney at Gardere Wynne Sewell, where he assists clients with HIPAA, FERPA and Gramm-Leach-Bliley compliance, and with responses to data intrusions and breaches.

Eddie Block has been an ECT News Network columnist since 2017. His focus is on information security and data privacy. Block is a senior attorney at Gardere Wynne Sewell. Before practicing law, he spent 20 years as an information security professional in a variety of roles, from network security management to chief information security officer for the State of Texas. His blog covers information security and data privacy topics.