Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
Now we will review why Cybercriminals want PHI and ePHI for their own cause, the value of PHI on the black market and what Ransomware looks like. We will showcase how to protect PHI and ePHI and your obligation in the event of a data breach. The healthcare industry has the 4th largest number of data breaches in the top 5 business sectors in the US. These sectors include Financial Services, Retail, Government, Healthcare and Manufacturing. Since Healthcare has the 4th largest number of data breaches we must actively protect PHI at all times. For example: the theft of credit cards and account data has a limited lifespan. It is useful only until the victim cancels the card numbers and accounts. The information contained in medical records has a much broader utility and can be used to commit multiple types of fraud or identity theft and does not change, even if compromised. The value of personal data to a cybercriminal is much higher than the credit card or bank account number. The average selling price for a U.S. credit card in the underground is $1 - $2. However, when that single card is sold as part of a “fullz,” or full identity profile, the cost increases dramatically to around $720. As we know with the Equifax breaches and Wanna Cry Ransomware attacks and daily ongoing electronic attacks, PHI is extremely valuable to cybercriminals so they can create and sell a brand new identity on the dark web. You must actively protect PHI at all times Ransomware attacks have increased by 500% over the last few years. The platforms used include, Business Applications, USB Drives, Social Media, Website Attachments and Emails. Be very cautious of USB drives as they are used at multiple locations and can become infected easily. Email is the largest medium to distribute Ransomware. 31% of viruses come embedded in the email itself and 28% come in the form of attachments. If you receive a suspicious email NEVER open it. Just delete the email and notify your HIPAA compliance officer and IT company. NURSE JOY: Hey Mary, I just got a really weird looking email. Can you come look at this? OFFICE MANAGER MARY: Of course! Did you already click it open? NURSE JOY: No, I think it might be a virus? OFFICE MANAGER MARY: Oh, yeah. This is definitely one to delete. I’m so glad you didn’t open it. Okay. The proper way to delete this is to mark it as junk, then empty the junk folder. Yeah. You know I’m also going to let our Privacy Officer know just in case other employees received this email. This kind of email can lead to a data breach. NURSE JOY: Oh, wow, okay. In this scene, Nurse Joy did the right thing by not opening the unfamiliar email and by immediately notifying office manager and privacy officer. She took the right action by deleting the unfamiliar email immediately.
In this lesson, we'll be covering why cybercriminals want PHI, the value of PHI on the black market, and some examples of what ransomware looks like. We'll also show you some ways you can protect PHI and ePHI and what your obligation is in the event of a data breach at your place of employment. And at the end of the lesson, we'll have a one question quiz that we're certain you'll pass.
As of 2019, the healthcare industry has the 4th largest number of data breaches among the top five business sectors in the U.S. These sectors include, in order of the number of breaches from highest to lowest:
Since healthcare ranks as high as it does for data breaches, it's important that you actively protect PHI and ePHI at all times.
When credit card numbers and bank account numbers are stolen, their lifespan is very short, as they're only useful until the victim cancels the card or closes the account.
Pro Tip #1: The information contained in medical records is much more valuable than credit card numbers and bank account numbers and has a much broader utility. This information can be used to commit multiple types of fraud and/or identity theft and (here's the important part) does not change even after it has been compromised. You can't cancel your social security number, for instance.
For this reason, the value of this type of personal data to cybercriminals is much higher than credit card numbers and bank account information alone. This information in a vacuum only has a selling price of $1 to $2 in the underground market.
However, when a single credit card number is stolen and sold as part of a complete identity profile, that price in the underground market increases dramatically and jumps to around $720.
As we've learned from recent Equifax breaches and the WannaCry ransom attacks, along with dozens or hundreds of lesser profile electronic attacks, PHI is extremely valuable to cybercriminals who can create and sell these identity packages on the dark web.
The reasons outlined above is why it's so vital that you actively protect PHI and ePHI at all times. Over the last few years alone, and just using ransomware cases as an example, these types of cybersecurity threats have increased by more than 500 percent.
Platforms used for ransomware attacks are platforms you likely use daily at work (professionally and personally while at work) and include:
Warning: Be especially cautious when using USB drives, as they are usually used in multiple locations and can therefore become infected easily, as well as spread those infections equally easily.
Having said that, email is still the most common offender and medium for distributing ransomware and other potentially harmful bugs and viruses. When it comes to email, there are two places to be especially aware of as far as viruses go:
Pro Tip #2: There is no reason to get to the suspicious attachment stage. If you ever receive a suspicious-looking email, DO NOT OPEN IT! Simply delete it and notify those in your organization responsible for such things, like your compliance officer, IT company, and so forth.
You may recall the example in the corresponding video for this lesson. The employee notices that an email looks weird and asks her manager what she should do. The manager shows her the proper way to handle such an email – mark it as junk and then empty the junk folder.
The other important lesson from the video example is letting your privacy officer know when you receive a suspicious email, in case other employees receive the same email. It only takes one instance of an employee opening an email containing a virus that can lead to a data breach.
Quiz: You just received a strange-looking email; what do you?
If you answered D, congratulations! You just demonstrated uncommon sense. Seriously though, it's about good decision making and making those good decisions habitual.