By Troy Young, AdvancedMD Inc.
When it comes to cybersecurity, healthcare providers are late to the game: the industry claimed a quarter of over 750 cybersecurity incidents globally in 2018.1 In the U.S. alone, health firms—and millions of patients—were impacted by 365 data breaches last year, up from 358 in 2017.1
The industry is struggling to manage the security limitations of existing systems amid a recent proliferation of sophisticated attack threats that include malware, ransomware and phishing. The risks are further complicated by growing trends of remote access, mobile device use, and connected Internet of Things (IoT) devices. Unfortunately, much of the breach susceptibility—and data theft at large—is traceable to human error or misuse inside an organization. Of 1,138 breach incidents between 2009 and 2017, 53 percent originated internally.2
Providers should prioritize the safety of patient health information (PHI) and remain diligent about HIPAA security and privacy regulations, particularly if they want to survive the Office of Civil Rights (OCR) audits. Here’s a look at growing threats and ways medical practices can protect themselves.
Facing The Threats
When a practice’s employees have important data stored on or accessible from their computer, that system is at risk for breach. The devastation of malware—called ransomware if access is denied until a ransom is paid—can be significant for a practice of any size. Healthcare providers are 4.5 times more likely than organizations in other industries to be hit by CryptoWall.3
The most common type of cyberattacks are phishing attacks, which infiltrate systems through fraudulent emails or direction to fake websites.4 According to an American Medical Association and Accenture survey of 1,300 U.S. physicians, 83 percent had experienced a cyberattack and more than half of these came in the form of a phishing email.5
While administrators can warn employees about revealing important passwords or other sensitive data, cyber criminals’ phishing strategies are both persistent and pernicious. Employees must take caution when opening unknown email, choose strong passwords, and never send unencrypted PHI over email. Staff should also engage in regular HIPAA training, especially limiting the release of PHI as per the “minimum necessary principle,” as well as anti-phishing education. Frequently revisiting security policies about both email and computer use and welcoming all employee questions and concerns are good practices for protective upkeep.
From an information technology (IT) perspective, a practice using on-premise EHR or practice management (PM) needs on-site staff to maintain and oversee the hardware and software and should install antivirus and anti-malware software on all computers, back up data daily (or more frequently), and regularly test data back-ups. Assessing vulnerabilities on network systems, especially unpatched software and misconfiguration of network devices is critical, as is checking server configurations and passwords and making sure patches are current. Automatic software updates should be enabled (especially Windows, Mac OS, Java, and Flash). A security professional also can perform a vulnerability scan to assess an organization’s penetrability.
If a healthcare organization hasn’t considered transitioning to cloud-based platforms (especially for systems that contain a lot of PHI), now is the time. While not all cloud-based systems are equal, vendors of most PM and EHR systems that have grown up in the cloud have spent millions of dollars protecting PHI, and many have dedicated security teams. It’s virtually impossible for a small or midsized healthcare practice to invest that much to protect data in an on-premise system.
Keep in mind that all computer hard drives—especially organization laptops—must be encrypted. Devices get lost and stolen frequently; staff should be educated on best practices, like not leaving a laptop in plain sight in a car. Unencrypted PHI should never be allowed to leave the facility (on a thumb drive, external drive, or any other media), and a certified shredding service is ideal for destroying all PHI-laden media.
Unfortunately, medical practice data is only as safe as the employees themselves. Insider misuse for profit, sabotage or even simple curiosity is a common cause for data breach. Background checks on all employee are integral, and a provider’s EHR vendor should offer HIPAA security reports and logs for periodic review.
Protecting patient medical data and maintaining compliance requires a multifaceted approach that includes various tools, solutions, policies and practices. From HIPAA to HITECH, providers are regulated by multiple laws to protect PHI, including the reporting of breaches and appropriate technology use.
The OCR enforces privacy and security rules through compliance audits, education and outreach and subsequent fines or mitigation expenses. The OCR also works with the Department of Justice on possible criminal violations. Breaches affecting more than 500 individuals must be reported to the OCR (in addition to other reporting requirements).
It’s important to note that there’s no direct correlation between the extent of a breach in terms of volume and the OCR’s fine. Even a small breach can result in large fines in retribution of poor compliance efforts. For example, in June 2017, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled for $650,000 over the loss of only 412 patient records: more than $1,500 apiece. The settlement was a punitive measure in response to the entity having “no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.”6
In April 2019, Department of Health and Human Services updated its HIPAA penalty system setting the annual limits based on the organization's "level of culpability" associated with the violation. That means practices that have taken measures to meet HIPAA's requirements will be fined much less than those that have not taken any steps.7
Maintaining Best Practices And Compliance
Since 2003, the OCR has received over 204,065 HIPAA complaints and has initiated over 940 compliance reviews.8 The reasons for resultant fines and penalties are varied. Organizations are usually at fault of one or more of the following:
- No security risk assessment/management plan (a common reason for large settlements): Healthcare practices mustn’t start assessing and managing risk after a breach occurs.
- Failure to protect PHI: Organizations must implement adequate encryption and firewalls, especially for laptops.
- Failure to report a breach in a timely manner: Breaches must be reported within 60 days of discovery.
- Disclosing more information than necessary: In 2015, Triple-S Management agreed to a $3.5M settlement for, among other things, disclosing more information than was necessary in mailings to customers.
- Missing business associate agreements: Essentially, a business associate is any person or organization that interacts with PHI from a covered entity or other business associate.
- Failure to cooperate with an OCR investigation: In 2017, a small pediatric practice agreed to pay a $31,000 penalty after one of its vendors experienced a breach and the OCR discovered that neither party could produce a BAA prior to 2013.
- Failure to provide medical records to patients: HIPAA requires that healthcare providers respond in a timely fashion to requests from patients for their PHI.
- Discarding PHI in public dumpsters: PHI must be protected while in a covered entity’s or business associate’s possession and destroyed when it is no longer needed.
Practices can find additional guidance on avoiding these pitfalls and preparing for an OCR audit by reading the ONC’s Guide to Privacy and Security of Electronic Health Information.9 The security best practices include the following actionable suggestions:
- Review business associate agreements with all vendors/contractors who have access to PHI; an attorney can help.
- Review documentation of policies and procedures, especially as it relates to the disclosure of PHI, and security measures like encryption of devices.
- Designate a security officer.
- Provide regular HIPAA training.
- Designate a security officer.
- Review policies for handling printed PHI and patient requests for medical records.
- Create a data breach response plan.
- Perform a security risk analysis.
- Review practice management and EHR software packages, discussing data protection with the vendor.
- Review operating system and software patching processes for basic security measures like not using default passwords on routers and Wi-Fi access points.
- Consider hiring an outside security company to perform a HIPAA security risk analysis
- Create a risk management plan: Document risks that come out of the security risk analysis, determine how they’ll be handled, and track progress of remediation efforts.
When it comes to PHI, there’s no shortage of security threats and points of entry. Practices can easily become overwhelmed and discouraged about the necessary protective strategies, but it’s critical to move through that fear. Cyber criminals mostly want to make easy money; even some effort is often enough to keep a practice safe in favor of another that hasn’t put up suitable hurdles. As novelist Jim Butcher said, “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”