It seems like every week I hear of another data breach. In 2019 alone there were several major data breach announcements that caught the world’s attention, including: Capital One, Evite, Facebook, Door Dash, T-Mobile, Georgia Tech, Wawa, and many more. While these massive data breaches are what grab headlines, most data breaches actually occur with small companies.
Studies suggest 70 percent of all data breaches happen to businesses with fewer than 100 employees. Perhaps no industry has been a bigger target for data breaches in the last five years than the healthcare/medical sector. According to the Industry Resource Center, the healthcare/medical industry had three times more data breaches than the banking/financial industry—and it’s only getting worse. The number of data breaches in the US healthcare/medical sector increased from 16 in 2005 to 363 in 2018.
The healthcare/medical sector is a prime target for data breaches because the industry captures so much valuable personal health information: name, address, social security number, driver’s license, date of birth, health insurance information, etc. In many ways, it’s “one-stop shopping” for a hacker to steal a person’s identity. In addition to the prevalence of personal health information, the number of attempted hacks and the capabilities of hackers is increasing faster than healthcare cybersecurity infrastructure. This is especially true in smaller physician practices where keeping up with necessary cybersecurity investments is a daunting task.
Medical practices that experience a data breach are required by law to promptly report all HIPAA data breaches to the Office of Civil Rights, and to provide timely written notification and credit-monitoring to all affected patients. Data breaches can result in substantial penalties and fines. Up to 60 percent of all small businesses fold after a data breach due to the direct costs related to the breach and the indirect loss in revenue, due to lost customers and patients resulting from damaged reputation and broken trust.
So, what actions should a medical practice take to protect itself from a data breach? Without doing an in-depth analysis of each individual practice, it’s impossible to provide a comprehensive list of actions that should be taken. However, we can provide a few action items necessary to protect your medical practice:
- Transfer risk through cyber insurance. Recovering from a data breach can be very expensive. Medical practices should strongly consider purchasing cyber protection as part of their business insurance coverage. According to David Line, CFO at VitalSkin Dermatology, “Cyber insurance will help cover the financial costs associated with a data incident. This includes costs associated with forensics, notification and call center costs, credit monitoring fees, public relations fees, and legal fees. However, cyber insurance provides much more than just risk transfer. Good cyber policies also help prevent a breach in the first place. They provide password protection software, employee training, and incident response support. It should be an integral part of every medical practice’s risk mitigation solution.”
- Comply with HIPAA. To comply with HIPAA and to identify potential weaknesses, a medical practice should conduct a Security Risk Assessment (SRA). An SRA should include the following:
- Identify the personal health information and electronic health information that your practice creates, receives, stores, and transmits.
- Identify the human, natural and environmental threats that pose a risk to the integrity and security of personal health information and electronic personal health information. This should include identifying any “reasonably anticipated” breach occurring.
- Determine the impact of a PHI or ePHI breach and assign a probability of a breach occurring for each identified scenario.
- Document your findings and ensure appropriate policies and procedures are in place to safeguard PHI and ePHI.
- An SRA is not a one-time requirement; it is a regular, ongoing task.
- Encrypt all devices that contain PHI. Lost or stolen devices including mobile devices, desktop computers, laptops, thumb drives, etc., are one of the leading causes of data breaches. HIPAA regulations provide a safe harbor if the lost or stolen data is encrypted. Yet, the vast majority of ePHI breaches are from the loss or theft of devices and the transmission of unsecured ePHI. Medical practices should take steps to ensure all mobile devices, email, workstations and stored data are encrypted. If you or your staff are texting patients, you should ensure you are using a secure texting application.
- Prevent password theft. The most common way hackers get access to your ePHI is by capturing or guessing your passwords. According to JD Norcross, Director of Information Technology for VitalSkin Dermatology, “Medical practices should ensure they use best practices to secure passwords. This includes making sure all passwords are strong. They should include at least eight characters: numbers, capital letters and special characters. Do not use dictionary words, and consider using pass phrases. Change passwords every 60 days, do not post passwords in plain sight, use multi-factor authentication, lock users out after three failed attempts, consider using a password database, and limit user access to the most sensitive databases to only those who need it to perform their job.”
- Review all of your business associates. “Business associates” is a term defined under HIPAA, and it has come to be defined as any vendor or partner that provides a service to a covered entity when the service involves the business associate having access to personal health information. Examples of business associates might include accountants, lawyers, IT providers, billing companies, cloud storage services, transcription firms, etc. If the data breach is caused by or suffered by one of these business associates, it does not absolve the medical practice of responsibility to protect the data. Prior to entering into a formal business arrangement, the medical practice should understand the business associate’s policies and procedures designed to safeguard PHI. As it enters into a formal relationship, the business associates should sign a business associate agreement. The business associates agreement should clearly define the business associate’s obligation to privacy and confidentiality, cover what personal health information to which the business associate will have access, how the PHI will be utilized, how the PHI will be returned or destroyed, obligation to report any breach, reimburse the medical practice for any damages caused by the business associate’s negligence, and provide the medical practice the right to periodically audit the business associate. Furthermore, consideration should be given to how the data will be encrypted as it’s passed to the business associate.
- Regularly train your staff to prevent breaches and ensure security compliance. Your employees may be your weakest link when it comes to preventing a data breach. A recent IBM study found that up to 95 percent of all data breaches were caused by employee errors. These errors resulted in lost or stolen devices, sending information to the wrong recipient or sending sensitive data unencrypted, or falling victim to phishing or ransom ware attacks. Employees must be periodically trained on the medical practice’s policies and procedures designed to comply with HIPAA and to protect PHI. This should include training designed to teach employees to look for ransom ware and phishing attempts.
- Migrate software and data solutions to cloud-based solutions. Medical practices should consider migrating their information technology solutions to cloud-based solutions for application and data storage. Most cloud vendors have implemented security features that most medical practices cannot implement or maintain. With this said, a decision to use a cloud-based solution should not be entered into blindly. It is still the medical practice’s responsibility to perform the necessary due diligence to ensure the cloud-based provider can adequately protect and safeguard your practice’s personal health information.
- Develop robust IT security features to protect your practice. According to Norcross, there are a number of steps a medical practice should take to provide a secure IT environment. “For those critical applications or storage solutions that are not in a cloud environment, back up the data hourly and test the backup process and the restoration process. Furthermore, develop intelligent firewalls that can detect intrusions and prevent the execution of malware. For an extra layer of defense, install anti-virus and -malware software on all desktops. Finally, make sure software fixes and patches are installed promptly to shore up any vulnerabilities.”
- Perform penetration testing. Make penetration testing by a third party a component of your ongoing effort to ensure a secure environment. Penetration testing can help identify potential vulnerabilities in your security.
- Develop a plan for a data breach. HIPAA regulations require medical practices to develop a plan in the event of a breach. A good cyber insurance policy will assist you in choosing an IT forensic team to help you determine the cause and scope of the breach. The medical practice is required to promptly notify patients and the Office of Civil Rights of any breach, and if it impacted more than 500 patients, the media must be notified. The notification should happen as quickly as possible, but no later than 60 days after the discovery of the breach. Furthermore, the practice will need to provide ongoing credit-monitoring services to the patients impacted.
Unfortunately, the risk of a data breach increases every year. With proper planning and execution, a medical practice can significantly mitigate its risks, and protect its patients, providers, and bottom line.