How Unsecured Data Systems Can Lead to a HIPAA Nightmare

Healthcare chart with stethoscope on MerlinOne's DAM software website.

If you’ve been reading any healthcare-centric news over the past few weeks, chances are you’ve seen a story or two covering large scale HIPAA violations by healthcare providers and organizations. Zack Whittaker from TechCrunch reported that there’s currently an estimated 1 billion medical images containing sensitive information about patients across the world that are available to anyone with internet connection and free-to-download software. Of these 1 billion images, about half belong to patients in the United States. According to U.S. law, healthcare providers are legally responsible for securing the privacy of patient data, so why aren’t they? In September, ProPublica reported that images from over 24 million medical exams–many of which included name, date of birth, and social security number–were left unprotected on the internet. Just how unprotected you might ask? Well, unlike a premeditated cyberattack, these images lacked basic digital security protection either within the system itself, or on the storage server, allowing any internet user to access the images without so much as a password. The common denominator of most medical data breaches is weakness found on the picture archiving and communications system (PACs) servers. Often times these servers are connected directly to the internet without a password, leaving the stored Protected Health Information (PHI) vulnerable and at risk of ending up in the wrong hands.

What is considered a HIPAA violation?

A HIPAA violation by definition is the failure to comply with any aspect of The Health Insurance Portability and Accountability Act (HIPAA) of 1996. There are hundreds of ways that HIPAA regulations can be violated, but the most common surround the misuse or breach of electronically protected health information (ePHI). The Office for Civil Rights (OCR) handles the enforcement of HIPAA, and the penalties for violations. Historically, the OCR has handled first-time digital violations with technical help, rather than a monetary fine. This technical help is great, but it only fixes the problem if the organization in violation actually implements the new processes or security measures.

For example, we can take a look at the case of Cottage Health, the OCR’s final settlement in 2018. Cottage Health operates 4 hospitals in California, and paid $3 million to the Office of Civil Rights in 2018 for various HIPAA violations. The first breach was discovered when electronically Protected Health Information (ePHI) stored on a Cottage Health server was accessible from the internet without a username or password. Information including patient names, addresses, dates of birth, social security numbers, diagnoses & conditions, and other treatment information was all easily procurable because the server was not password protected. After further investigation, and a second breach, OCR revealed that Cottage Health didn’t perform a complete and proper risk assessment to the availability and integrity of the ePHI, and didn’t implement effective measures of protecting PHI such as the securing of storage servers and ongoing vulnerability tests.

The story of Cottage Health is the typical HIPPA breach that we hear about, but there are many other ways that healthcare organizations can violate these regulations through a lack of server security. For example, healthcare marketing departments must remain HIPAA-compliant as well. All of their marketing efforts must comply with the rules of HIPAA. Suppose a hospital’s marketing team posts a photo of a doctor and a patient to social media and an “Oncology” sign appears in the background: the implication could be that the patient is being treated for cancer, which would be Protected Health Information (PHI), and should be protected under HIPAA. If proper consent from the patient wasn’t obtained, this would be a costly violation. Through this we can see that even the most innocent example of “incidental” PHI could lead to HIPAA confidentiality repercussions.

How can healthcare providers do better?

Secure storage systems and servers are the answer. Healthcare providers need to execute on their responsibility to protect patient medical data and records by storing information not only with the use of secure systems, but also on secure password-protected servers as well. This means that Electronic Health Record systems which store things like blood work results, test results, prescription information, X-rays, scans and more, must be stored on a password protected server. In addition, marketing collateral and all other digital assets of the organization should be similarly stored in a secure digital asset management system that allows for strict permissions on asset use. Going back to our social media example above, if they had used a HIPAA-compliant DAM solution to house their digital content, that photo wouldn’t have been posted because the system would’ve alerted the user that it contained PHI and didn’t have the necessary consent obtained.

Implementing a solution such as Merlin Compliance’s HIPAA and GDPR-compliant DAM to store this type of content would help to steer clear of HIPAA violations and safeguard patient information. To avoid the risk of HIPAA violations due to marketing efforts, healthcare marketers should leverage the power of DAM to ensure they stay compliant throughout their entire content process.

How DAM can help healthcare marketers avoid crisis

As we’ve previously established, HIPAA violations and security breaches are more common than ever in today’s online world. Healthcare marketers have a specifically difficult job because often times the best way to advertise treatments and medicines is through the use of case studies or patient testimonials. If not done correctly, and with consent, this can lead to a HIPAA nightmare. Healthcare marketers can reduce the risk of violating HIPAA by utilizing a robust Digital Asset Management system to house all of their marketing collateral. Photos, videos, and documents can all be stored within the DAM and tagged appropriately for easy retrieval later on. In addition to easy search and retrieval, the DAM allows for granular permissions attached to assets, as well as for users. Photos used for marketing can be segmented into customizable collections designating them “ready for use” if consent has been given, or “not ready for marketing use” in the case that ePHI is present or consent wasn’t obtained.

For example, if a hospital hosts a charity benefit, and a photographer is present capturing images, those images would then be uploaded to the DAM and tagged appropriately. Because these photos will likely be used for marketing and promoting the next benefit, consent must be obtained if patients are present in the pictures. If a patient has explicitly stated they do not give consent for the use of any images they’re in, the DAM can help users identify images without that patient by using the MerlinAI Facial recognition tool. In this case, all users have to do is tag a patient once, and every image they appear in going forward will be aggregated in one place, and subsequently tagged as not approved for marketing use. With granular user permissions, the DAM administrator is able to filter what images certain users can see, and what level of permission for use that they have. In the case of healthcare marketing, the system administrator can regulate the marketing team’s permissions so that they only see the content that has been approved for use. This mitigates the risk of someone accidentally using an image that hasn’t been approved or had the necessary consent obtained.

Moving forward…

Since September, the problem has only gotten worse, leaving an increasing number of patients at risk for medical insurance fraud and medical identity theft. There’s a growing list of open cases that are currently under investigation by the Office for Civil Rights. Healthcare providers have the responsibility to protect the sensitive health information of their patients, but sometimes breaches happen and information is left exposed and vulnerable on the internet. Awareness is the most important thing patients can have about the threat of Medical data breaches and HIPAA violations. Knowledge is power, so the more patients can inform themselves, the better. Don’t hesitate to ask your healthcare providers about their digital security protocol in regards to your medical data. After all, its your right to know how they are protecting your sensitive health information.

We know that the highly digital world of today puts all information stored digitally at risk. Unfortunately, data breaches have become a fact of life, and will continue to happen from time to time. For healthcare providers, it’s of the upmost importance to have substantial digital security measures in place that uphold the terms of HIPAA end-to-end. Every digital system used must be HIPAA-compliant, and stored on a secure, password-protected server. For all systems including EHR systems that house patient data, and DAM systems that house marketing and branded content, security is critical. If you don’t already have a digital asset management system to serve as a single source of truth for all of your content, be sure the vendors you’re assessing are HIPAA-compliant, and impose the highest level of security measures to safeguard your digital library.