Trending Topics: Data Security Makes or Breaks a Practice

(Update: January 2021 data breach numbers are available here.)

A recent webinar surveyed healthcare providers about what’s was on their minds. Technology was a consistent trend. Data security was a consistent concern. Stealing medical records is a growing business for hackers. More and more data are captured but is it protected?

For doctors, this is a risk most don’t know how to mitigate. But a data breach can be devastating to your business.  This image from the Health Sector Coordinating Council is a warning to doctors who think it can’t happen to them.

As a business entity under HIPAA, it is your responsibility to secure patient data. Just like locking a file cabinet with paper records, electronic records require protection.  Smaller practices are struggling to meet cybersecurity demand.

HIPAA Data Security Standards

The protection of data is covered in the Security Rule. These are the standard technical safeguards your office needs to meet.

Access Control is the first standard required by law. There are 4 components.

  1. Unique User Identification: To access the system, the username and password are unique. This is critical for system audits.
  2. Emergency Access Procedure: There must be a written procedure for accessing data in the event of an emergency or natural disaster. The purpose is to maintain a continuum of care.
  3. Automatic Logoff: An automatic log off terminates a session after a certain amount of inactivity. Imagine an employee who leaves the system up while going to lunch.
  4. Encryption and Decryption: Encryption hides data and renders it unusable to hackers. The process uses keys to encrypt and decrypt the data.

Audit Controls are the next required standard. It requires systems and applications to have the ability to track and analyze the use of ePHI. Most eHealth systems will include this capability. These audits are an ongoing requirement, so test your system.

The standard doesn’t set timeframes for auditing. Audits can catch mistakes and bad behavior. For smaller practices, once a quarter makes sense. For hospitals or other large providers, we suggest once a month.

Data Integrity is the third standard. HIPAA requires policy and procedures for proper use and disposal of data. A breach at a physician’s group was the result of a vendor hired to dispose of paper files. Records were tossed in a landfill, still identifiable.

  1. Mechanism to Authenticate eHPI: This is a corroboration measure. The goal is to identify the risks of data alterations or deletions. (The technical solution is a checksum verification.) This should be built-in to any HIPAA compliant system.

Person or Entity Authentication is exactly what it sounds like. Anyone who uses the system must be authenticated. For most users, this means a password. This can be problematic depending on the strength of the password.

(Avoid using employee email as a username. If a hacker sees your email structure, it’s not hard to find an employee account. Imagine the office email is @doctorsofficename.com and your nurse is named Susan. It isn’t hard to figure out how to email Susan directly. Especially for a phishing campaign.)

Beyond a password, many organizations use tokens, badges, or two-factor authentication. The most sophisticated use biometrics – retina or fingerprint scans.

Not all users need the same authentication method.

Transmission Security includes the protocols to securely transfer data. Sharing, exchanging, and moving data among providers is a vulnerability.

  1. Integrity Controls: This standard applies to protecting data integrity during transmission. The purpose is to ensure the data is not modified or destroyed during transit.
  2. Encryption: The standard does not define what level of encryption is required. The bigger your organization, the stronger the encryption.

Encryption is essential, no matter what the size of your practice. If you’re sharing data electronically, you need to protect it.

HIPAA has been around for a while now. The majority of these requirements are built into systems. But that doesn’t mean you don’t have any accountability. Technology providers are quick to point out that they “support a provider’s efforts to comply with HIPAA.”

There are things you need to do if you want to prevent a data breach.

Reduce Data Breaches

The Department of Health and Human Services has researched 90 data breaches, affecting more than 9 million patients. Healthcare data is very valuable, more so than other industry records. The intensity and sophistication of cyberattacks on systems will continue to increase.

This table outlines a sampling of 2020 data breaches. Just these 7 impacted 2,737,817 patients. The average cost to the data owner is $408 per breached healthcare record.

Do the math for your own business.

2020 Data Breaches

Phishing

It’s surprising to see how effective phishing campaigns can be. A phishing campaign sends an email to someone in the office. It contains a link to a fake website that appears to be credible. In the Magellan Health case, the email appeared to come from one of their clients.

The goal of a phishing campaign is for the recipient to click the link. Once they do, the hacking begins. Depending on the security of the system, they steal the data. They deploy malware or infect the computer with ransomware.

When a phishing email comes in, it’s easy to be fooled (and tempted to click.) The best thing to do is to disable the links on an incoming email. If you use MS Outlook as your office email, one of these 4 ways should work.

Unfortunately, other email providers are less transparent. Ask is there’s a way to disable links on incoming emails. Do not let employees (or colleagues) use personal email accounts for business purposes. The office loses all control.

Phishing puts your practice at risk. In 2018 the cost of healthcare data breach was $408 per record, according to IBM. If you have just 500 records in your system, that’s $204,000. If you’ve been in business for 5 years, that’s only 100 patients a year.

Protect your business. Train your employees not to click. Then make it harder for them to do it.

Ransomware

Ransomware is malicious software that encrypts data and denies the owner access. The software is encrypted with a key created by the hacker. If you want your data back, you have to pay the ransom. They aren’t just holding data hostage, they make it impossible to treat patients.

These attacks are on the rise. Hacker groups are extending themselves to create leaker sites. If you don’t respond to the ransom, they start leaking the data online.

Here’s a list of ransomware hackers. As noted above, phishing is the easiest way for hackers to get in. Once they are, you’re in trouble.

Backups are the way to protect your data. Isolate your backups from the rest of your system. When ransomware infects your computer, it will delete any backups it comes across. It also likes to spread to any other system it can jump on.

Back your data up to a separate hard drive that isn’t connected to the internet. Plug it once or twice a week, depending on the volume of data. Once the backup is complete, disconnect the drive. If you can, duplicate the backup and store it offline at a separate location.

Make sure all computers are shut off after hours.  If you’re working from a remote computer, make sure it’s HIPAA compliant. Be sure to disconnect from the internet when you’re done. Better yet, set up the system to automatically log out users.

Dormant Accounts

A dormant account belongs to someone who is no longer working at your practice. This includes ex-employees, temps, contractors, and virtual assistants. Too often account access is forgotten when a relationship ends.

When accounts remain intact, people outside your practice have access to patient data. This is dangerous. A disgruntled employee might try to damage the system. A financially strapped temp might be influenced by money. Social media posts help bad actors find and exploit them.

When you hire or contract with anyone, make a list of any system they can access. When they leave, immediately remove their user access to systems on the list. Think of it as returning the keys to the office.

If you use an IT support service, be aware of their team’s level of access. If you use remote shared screens, be careful. Do not type a password to a sensitive system. A readily-available device can capture keystrokes. IT contractors come and go without clients knowing.

You don’t want to find out the hard way. Remove dormant accounts.

Partners, Providers and Vendors

When you look at the breach events above, not all started with the data owner. Businesses build relationships. For doctors, those include labs, hospitals, pharmacies, medical coding and billing. If bad actors get into those systems, it could put yours at risk.

A disgruntled employee. Unencrypted data transfers. How they store and manage data has to be a critical component of a partnership. A HIPAA BAA won’t protect you if employees can store data on a laptop. That’s how the largest Medicaid Coordinated Care organization in Oregon got hacked. A stolen laptop.

A healthcare accounting firm was hit with ransomware. Some patient data was in their systems. They were able to restore the data from backups. Its unclear what happened to the hacked records.

It’s impossible to monitor the security practices of every vendor you use. Regular audits and re-certifications are required under HIPAA. (Are you doing your own?)

It’s reasonable to ask to see them. Make it a point when you hire a vendor to ask about their data security practices. Check their record in terms of breaches. Do a background check

Make it a practice to share data instead of system access. Control and secure the data transfer to protect your patients.

Malware Protection

This sounds obvious but how good is your virus software? It’s important to maintain security on any device that might access office systems. If you log in on your cellphone or home computer, it’s a point of entry. Put malware protection on any device with system access.

Malware Bytes has a version for healthcare. Take a look to see if it’s a good fit.

Mobile devices are a hacker’s best friend. Do not access systems in public places, like airports or coffee shops. Any log in on a mobile device should be manual. No password autofill. Don’t add the system’s icon to your home screen. Think about the consequences of a lost or stolen phone.

Make sure any mobile device that has access to ePHI can be remotely locked and wiped. That includes laptops, tablets, and phones.

Danger in the Data

Medical data collection continues to expand. It’s no longer the purview of a patient and a physician. Data is collected in electronic health records and shared electronically with other providers. The data are scrubbed of Personally-Identifiable-Information (PII) and aggregated.

Now we have a growing pool of data for research, public health, and precision medicine. That pool is then accessed by any number of users. There is certainly value in data analytics. But has the demand for “big data” gotten ahead of privacy and security?

Three technical hot spots pose challenges to data integrity and security.

Wearables

Wearable devices collect data but are they HIPAA compliant? Do they have to be? It depends. HIPAA requirements extend to business entities, not individuals. If a patient uses an app to track weight, diet, or exercise, that data is personal. HIPAA does not apply.

Physicians use remote monitoring devices in growing numbers due to the pandemic. The data from those devices need to be HIPPA-compliant. A growing number of employers and insurers monitor employee health status. The data collected from these devices are protected under HIPAA.

But what happens when data from a patient’s personal app gets pulled into the mix? A new telehealth company, SteadyMD, claims to merge data from a personal device into a patient’s EMR. Suddenly there’s a HIPAA requirement for a device that isn’t HIPAA compliant.

It’s a recipe for disaster.

Data Storage

Healthcare providers collect data in the EHR. Most don’t know much about where and how it’s stored.  Many medical practices have no IT staff on site. Doctors hire contractors to provide user support or computer repair. They don’t have the skillset to consult on data security

Cloud computing allows data on remote servers to be accessed from the internet. The servers sit in data centers located around the world. Cloud computing adds a level of complexity to data security. Many cloud computing platforms for medical data are not investing in their infrastructure.

Datacenters must have strict protocols for technical, administrative, and physical security. Audits and certifications monitor their compliance. Ask to see those outcomes. Offshore data centers may not have the same legal protections as the U.S.

Make sure you know who’s accountable for what.

Data Sharing

A key component of Value-Based Care is collaboration. To increase efficiencies, medical records are exchanged among providers.  Anytime data are transported, the chance of a breach increases. Proper encryption protocols can help protect the data and the system.

Communications to and from partners and suppliers keep growing. With calls from patients to access their medical records, controls become more challenging. Email is too risky. Mail is too slow.  One surprising solution is a HIPAA-compliant cloud fax. Yes, fax.

Keep Your Data Secure

Protecting patient data is protects your reputation. Not to mention, your checkbook. Don’t be intimidated. If it’s easier, bring in a consultant to assess the current status of your systems.  Spend the money now or spend it later…when you’ll need to hire a PR firm.

Share This