Winging it is Not an Option: Cyber Security and HIPAA
Friday, October 14, 2016
Posted by: Chad Schiffman, Healthcare Compliance Pros
We read about them daily…another data breach involving Protected Health Information (PHI). For instance, earlier this year, two Southern California hospitals experienced a cyber-attack by hackers who infiltrated their computer systems. Once the hackers got into one of the hospital’s computers, a malware program that encrypts data on computers spread. The hackers then demanded a ransom to unlock the servers. These types of incidents could happen to your practice. When there is a breach in security, your assets and patient health information is at risk, including the confidentiality, integrity, and availability of any information you create, receive, maintain or transmit.
Breaches are on the rise
Whether malware, ransomware, other cyber-attacks, or a stolen laptop, one thing is certain: breaches are on the rise.
According to a recent Government Accountability Office (GAO) report, in 2015, 113 million health records were breached. In 2014, the number was significantly less, being 12.5 million records that year. (United States Government Accountability Office Report to the Committee on Health, Education, Labor, and Pensions, U.S. Senate, August 2016.)
What is behind the growth?
The information contained within medical records is extremely valuable to criminals. Criminals have turned to cyber-attacks as a means of accessing electronic health records. Often, medical records are full of information that is more valuable to a cybercriminal than financial information alone. For example, a medical record includes the patient’s name, address, contact information, social security number, diagnosis, and other information that can be used for identify theft purposes. Perhaps this is why cybercriminals have determined medical practices to be an easy target. However, these attacks aren’t limited to outsiders. The GAO report stated “insiders are consistently identified as the biggest threat.” Practice managers need to pay close attention to insiders because they generally have greater knowledge and access to your systems. In addition, it is not uncommon for disgruntled employees (insiders) to steal, damage or expose internal data or systems.
What has happened as a result?
HHS has implemented a Health Care Industry Cybersecurity Taskforce in an attempt to improve the privacy and security of health information. Likewise, medical practices need to have implemented security tools that will improve the privacy and security of protected health information (PHI) they are required to safeguard.
The HIPAA Security Rule provides the framework and security measures to help prevent cyber-crime. Under the HIPAA Security Rule you are required to implement a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic Protected Health Information (ePHI) and implement security measures to mitigate or remediate those identified risks. In fact, conducting and reviewing a Security Risk Analysis (SRA) is perhaps one of the most important requirements your organization will undertake. This is because a SRA is a process of identifying potential risks and laying out an action plan to address deficiencies so that your patients’ health information is properly safeguarded.
Importance of Basic Safety Principles
We are often our own worst enemies and fail to follow basic safety principles. With that in mind, below is a brief overview of 10 tips that were developed to help healthcare practices apply cyber-security and risk management principles. This list is by no means all-inclusive, but does offer a good starting point for safeguarding health information from privacy and security risks:
1. Establish a Security Culture to ensure good habits and practices become automatic.
2. Protect Mobile Devices with strong authentication and access controls.
3. Maintain Good Computer Habits such as archiving old data files for storage if needed, or clean them off the system if not needed.
4. Install and Use a Firewall to protect against intrusions from outside sources.
5. Install and Maintain Anti-Virus Software that provides updates on a regular basis for protection against viruses, malware and other malicious code that can attack your computers through downloads, email, etc.
6. Plan for the Unexpected by implanting and testing a Disaster Recovery Plan (DRP).
7. Control Access to Protected Health Information by configuring your EHR to grant access PHI to those with only a need to know.
8. Use Strong Passwords that are not easy to guess (e.g. names) and Change Them Regularly – preferably, a password should not be used longer than six months.
9. Limit Network Access by limiting or preventing file sharing, instant messaging, and other peer-to-peer applications – unless you have determined they are allowed based on a risk analysis. Then, these applications should only be installed if approved.
10. Control Physical Access by, to the best of your ability, preventing chances that devices may be tampered with, lost or stolen.
Learn more about strategies for developing a security plan by registering for the AAOE Hot Topic Webinar: Winging it is Not a (Security) Option, sponsored by Healthcare Compliance Pros. Click here to register now!
About the Author
Chad Schiffman is part of the Healthcare Compliance Pros Compliance Support Team. His background includes over 15 years combined experience in Healthcare and Information Technology. He holds degrees in the areas of Medical Specialties, Healthcare Administration and Healthcare Informatics.