Massachusetts Medical Society: Keeping Your Patients' Data Secure - Best Practices to Minimize Risk

Keeping Your Patients' Data Secure - Best Practices to Minimize Risk


In today’s world, a person’s health information can be even more valuable to thieves than a credit card number, making medical identity theft one of the fastest-growing crimes in the United States. Meanwhile, the instances in which your practice stores and transmits protected health information (PHI) expand by the day. These vulnerabilities don’t just expose your patients to having their data stolen or misused, but also place your practice at risk for HIPAA audits — fines topping six figures and untold levels of reputational damage.

The first step toward preventing these leaks and their consequences is by achieving HIPAA compliance — for which the MMS offers a comprehensive online toolkit — a top priority, according to Kerry Ann Hayon, M.H.A., in-house consultant for the MMS’ Physician Practice Resource Center. “Practices do have a lot on their plate, but they need to focus on getting HIPAA compliance right — because that’s where they’re at risk now,” she said.

Ali Pabrai, cybersecurity expert and chief executive officer of the online security company ecfirst, agreed, noting that physician practices may be more vulnerable to audits than they realize. “Today it’s not a question of if, but when a practice experiences a breach,” he said. “The Office for Civil Rights (OCR) does look at breach notifications to see whether an organization is taking ­HIPAA seriously or not, and that could trigger a HIPAA audit.”

Mobile Device Security

Pabrai delivered a presentation on compliance and cybersecurity at MMS Headquarters last year, during which he highlighted the rapid proliferation of mobile device use in health care. As he predicted, the risks associated with PHI stored and accessed via laptops, tablets, thumb drives, smartphones, and other easily lost or stolen devices have only risen.

Experts agree that the most effective way to protect information flowing through or stored on these devices is with encryption, but barriers remain in applying the technology universally. “Physicians are very smart people, but there are physicians and practices that just don’t know what they don’t know,” said Leon Barzin, MMS’ director of health information technology.


To help answer this need, the MMS partnered in 2013 with DocbookMD to provide members with free access to a HIPAA-secure messaging application for mobile devices. “It’s being used increasingly by our members to communicate among physicians and also with staff,” Barzin said. The platform guarantees no PHI, including text messages, X-rays, or other images, stay on the phone. “All of the information is stored off of the phone or device on servers that are encrypted, and it stays there for the legally mandated seven years. There’s no point at which somebody could breach that information.”

“There is no gray area when it comes to encryption — something either is or it isn’t,” added Pabrai.

The second item, cloud-based systems, is a common area of misunderstanding, as practices may think the cloud-service provider is responsible for security of the data. “But that’s not the case,” said Pabrai. “When there’s an OCR audit, the auditors look at it in a simple manner: ‘Who came into contact with that patient information?’” At the end of the day, it’s the entity that controls the supply chain of patient information, but that data is not typically being encrypted across all elements of computing ecosystems, he said.

Phishing Emails

Even if you encrypt all of your PHI that’s in motion and at rest, there’s the risk that personnel will be tricked into simply handing it over. One of the most common ways organizations inadvertently expose themselves to hackers is by responding to fraudulent “phishing emails. ”This type of scam was the culprit behind a recent breach that impacted about 3,300 patients of Boston-based Partners Healthcare, for example.

One reason phishing has become so problematic is that it’s become very sophisticated, Barzin said. “The branding has become so good that these emails really look like things you can’t ignore, and they come on a daily basis from what look like sources we wouldn’t think twice about interacting with.”

What’s more, the way many people quickly sort through emails, it’s all too easy for employees, managers, or physicians to realize a link is not good to click on just a second too late. For these reasons, Pabrai recommends IT-based safeguards. “Most people say it should start from policy and training, but I disagree. If you don’t have strong security controls deployed — antivirus software, antispyware, and the like — you have no chance. The capability to minimize the risk from phishing has to be automated and consolidated,” he said.

Once these systems are in place, however, a human being working for or with the practice must be actively managing them, Pabrai said. This person’s responsibilities must include making sure logs are reviewed, software updates are replied, regular training takes place, and the practice makes applicable updates to its policy documents.

Employee Vigilance

That said, it is still important to train employees to spot suspicious emails, and to never send PHI to an unconfirmed source. Another best practice is to keep personal and work computers separate, added Hayon. “I tell people in practices that employees should not be surfing the Internet if they’re logged into your server, because that could open their network up to hacking.” To minimize this risk, many practices have set up a dedicated computer not connected to any PHI for employees to check personal email or browse the Internet during their break time, she added.

Share on Facebook

New: A Call to Action on Physician Burnout

We’ve published our findings on physician burnout and our directives on ways to mitigate its effect.

Read More »

New: Advertise With MMS

Increase your brand awareness and visibility to physicians and the general public through advertising space on the MMS website and several MMS email newsletters.

Read More »

Subscribe to e-Newsletters

Stay on the cutting edge of medicine by subscribing to free MMS e-newsletters. Choose from up to ten subject areas including physician and patient advocacy, public health, CME, daily health care news, and more. 

Sign Up »

NEJM Resident 360  Ad

Copyright © 2019. Massachusetts Medical Society, 860 Winter Street, Waltham Woods Corporate Center, Waltham, MA 02451-1411

(781) 893-4610 | (781) 893-3800 | Member Information Hotline: (800) 322-2303 x7311