Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.
Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.
So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.
TAKE DATA SECURITY SERIOUSLY
Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.
Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.
Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.
Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.
FIND QUALIFIED IT SUPPORT
Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.
Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.
PROVIDE STAFF TRAINING AND EDUCATION
Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.
Your staff training should cover at a minimum:
• The use of practice computers for personal e-mails and Internet surfing;
• Transporting data offsite using mobile devices;
• Protocols for departing staff members, e.g. changing passwords and network access;
• Educating staff on HIPAA requirements;
• The use of mobile devices at home and work; and
• Encrypting all patient data, regardless of the device.
INSTALL AND UPDATE ANTI-VIRUS SOFTWARE
In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.
"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.
But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.
ADOPT DATA ENCRYPTION
Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.
The report recommends:
• Encrypting mobile devices, like laptops and USB drives;
• Backing up sensitive data; and
• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.
CONDUCT SECURITY AUDITS
Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."
Some key action points here are:
• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.
• Make sure that software upgrades are current on all equipment and devices.
• Review your anti-virus software to make sure it provides adequate protection.
Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.
Take these steps to ward off loss of data and equipment:
• Create a practice data security plan
• Provide staff training on data security
• Install anti-virus and anti-malpractice software
• Adopt data encryption
• Conduct security audits