Protect Your Practice from HIPAA Breaches

For the past several years, the physicians at Family Medicine Associates have been concerned about the security of their patients’ private health information. Last fall, they hired a security expert to do a vulnerability assessment. One recommendation was that they encrypt all of their providers’ laptops, an expensive proposition. But they finally bit the bullet six months ago and did it. “Our greatest concern was having a laptop go out of the office and someone accessing patient records,” said Hugh Taylor, M.D., 1 of 11 physicians at the three-site practice. “We’re feeling better about that now.”

Dr. Taylor’s practice was right to be concerned. In 2013, stolen laptops or other mobile devices accounted for 35 percent of the data breaches reported to the U.S. Secretary of Health and Human Services. And health care is one of the top targets of cybercriminals. Almost 44 percent of breaches identified by the Identity Theft Resource Center in 2013 were in the medical/health care industry.

In a 2012 study of hospitals and clinics by the Ponemon Institute, 94 percent reported at least one data breach in the past two years; 45 percent reported they had experienced more than five incidents.

When it comes to cybersecurity, health care is playing catch-up with other industries; as a result, patients’ medical and insurance records are particularly vulnerable to criminals. And because electronic private health information, or ePHI, is so rich in identity information, it is highly valued on the black market. Health insurance credentials — which include information such as a patient’s name, date of birth, contract, and group number — fetch $20 each, compared to $1 to $2 for a U.S. credit card number, according to security service provider Dell SecureWorks. Thieves use private health information for everything from fraudulently billing insurers to obtaining prescription drugs or treatment.

HIPAA brought the privacy and security of medical records to the fore, requiring that providers safeguard both. The Health Information Technology for Economic and Clinical Health Act (HITECH) came along in 2009, with the purpose of stimulating electronic health records adoption, and broadened the scope of privacy and security protections under HIPAA. It also put teeth into the enforcement of HIPAA by creating penalties for violations, making healthcare organizations’ “business partners” equally liable and requiring that providers notify patients when a breach occurs. And if all this wasn’t enough motivation to shore up a practice’s cybersecurity, the Center for Medicare and Medicaid Service’s “Meaningful Use” incentives emphasize this aspect of Electronic Health Record adoption as well.

Breaches are Expensive

MMS’s Director of Health Information Technology Leon Barzin worries about the vulnerability of smaller practices to cybercrime. “They may not have advanced security installed or haven’t implemented the most secure measures for protecting ePHI,” he said. “If one of these breaches occurs, it causes a lot of harm, and not just in terms of fines and penalties but in remediation as well. That’s when the costs start to add up. It’s not hard to get into hundreds of thousands of dollars to remediate.” Remediation expenses can include investigating the breach, notifying patients, new security software and hardware, and training.

When a physician’s personal laptop with patient information was stolen from a Beth Israel Deaconess Medical Center office in May 2012, the hospital spent $300,000 on encrypting staff’s personal devices alone. The financial impact of data breaches for health care organizations in the Ponemon study ranged from less than $10,000 to more than $1 million over a two-year period. In May 2014, New York Presbyterian Hospital and Columbia University agreed to pay $4.8 million in HIPAA fines — the largest HIPAA penalty ever — for inadvertently allowing 6,800 patients’ records to be accessible on the Internet.

Encryption Is Key

Encrypting all transmissions of electronic private health information — including texts and emails — is one of the most important ways to protect patient data, according to Ali Pabrai, a presenter at MMS’s recent conference, Electronic Health Records Next Chapter: Best Practices, Checklists, and Guidelines. Encryption is the conversion of data into a form that cannot be understood unless the reader has a key or password to unscramble the information. Even if a practice has a security breach, the information is protected. “Unfortunately, application vendors in the health care industry have been lethargic about embedding encryption capabilities,” said Pabrai.

Barzin believes that practices that haven’t yet adequately addressed ePHI safety might consider hiring a data security consultant, as Dr. Taylor’s office did. And to better understand what’s required to comply with the HIPAA privacy and security rules, he recommends physicians check out the Department of Health and Human Services’ (HHS) CME-eligible online educational programs at hhs.gov.

Among other actions, the HHS suggests that practices designate a security or compliance officer, conduct security risk analyses at least annually, develop and document security strategies, and train staff (see accompanying story for additional security suggestions).

As more and more practices and other health care entities begin linking electronically to each other, cybersecurity concerns will grow, according to Barzin. “Any time you connect a computer to a network, you have a vulnerability,” said Barzin. “When you have a lot of people without security expertise connecting up and transferring data to other entities, there’s bound to be areas where information is diverted. The problem of security will get worse.”

Vicki Ritterband
Vital Signs Staff Writer

Share on Facebook

New: Advertise With MMS

Increase your brand awareness and visibility to physicians and the general public through advertising space on the MMS website and several MMS email newsletters.

Read More »

Subscribe to e-Newsletters

Stay on the cutting edge of medicine by subscribing to free MMS e-newsletters. Choose from up to ten subject areas including physician and patient advocacy, public health, CME, daily health care news, and more. 

Sign Up »

NEJM Resident 360  Ad

MMSMediaWatch

FacebookTwitterLinkedInYouTube

Copyright © 2017. Massachusetts Medical Society, 860 Winter Street, Waltham Woods Corporate Center, Waltham, MA 02451-1411

(781) 893-4610 | (781) 893-3800 | Member Information Hotline: (800) 322-2303 x7311