Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Important Reasons To Keep Patient Information Secure

Some organizations are unaware they have a breach of information until the FBI initiates the incidence report.  It is not only hospitals that are responsible.  It could even go as far a medial application developer or third party vendors  It is highly recommended for healthcare organizations to verify vendors’ security  and make it part of their contract.  HIPAA breaches can cause you to get federal, state and/ or regional fines.

For example, Health Net the Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. These servers contained names, Social Security numbers, addresses and health information of Health Net employees, members and providers. They did not receive federal fines  but two state attorneys general offices filed suit against the firm.
As a result, Health Net had to pay $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. Additionally they settled with the Vermont’s attorney general for $55,000.
As of the statistics in 2012, if your data was breached you have a 1 in 4 chance of being a victim of fraud.
Breach Due to a A Weak Default Password on a Server
The report examined a HIPAA oversight by a contracted Utah Department of Health employee affecting 780,000 people in this breach. The server had a weak default password and failure to manage the department’s IT assets appropriately, hackers exploited the vulnerability and took  Social Security numbers, medical diagnostic codes and dates of birth.   Javelin Research estimated some 122,000 cases of fraud would occur.  Resulting in a total cost pegged at a whopping $406 million.  This represents approximately 20 hours to resolve each fraud case.

Having a Social Security number stolen put the person to be at risk indefinitely.

Trust & Patient Health

“People refuse to see doctors for sensitive conditions because they know the information won’t stay private. I’m talking about cancer, depression, sexually transmitted diseases,” said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. “That’s a tragedy when people who have very treatable, serious medical illnesses won’t get care.”
A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.