Time for your Practice to Revisit your Security Standards

Does your practice have safeguards in place to protect your HIPAA sensitive information? Has your practice participated in security training or conducted a Risk Assessment. Do you have a mitigation plan in place if your practice does experience a breach in your data? These are all important and relevant questions to be asking yourself as a provider moving into the New Year. According to a recent report released by Experian, the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually in 2015.

Experian’s almanac predicts a stormy forecast is ahead for the healthcare industry as the threats are growing. The report points to many vulnerabilities, the expanding number of access points to protected health information, or PHI, and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the healthcare industry a vulnerable and attractive target for cybercriminals.

“We expect healthcare breaches will increase – both due to potential economic gain and digitization of records. Increased movement to electronic medical records and the introduction of wearable technologies introduced millions of individuals into the healthcare system, and, in return increased, the potential for data breaches,” the report notes.

”Healthcare organizations face the challenge of securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals,” the authors add. “The problem is further exasperated by the fact that many doctors’ offices, clinics and hospitals may not have enough resources to safeguard their patients’ PHI. In fact, an individual’s Medicare card – often carried in wallets for doctors’ visits – contains valuable information like a person’s Social Security number that can be used for fraud if in the wrong hands. Currently, we are not aware of any federal or law enforcement agency which tracks data on SSN theft from Medicare cards, but the problem is widely acknowledged.”

The takeaway? Security breaches are a real and increasing threat to the Healthcare industry and taking the proper precautions and implementing security standards, processes and protocols is no longer an option but a necessity. Consult with a security expert today for a Security Assessment and Mitigation Plan at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) 1-800-376-0212 or contact@ehrpmc.com

HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.

 

Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!