Peace of Mind: Keeping Medical Records Safe

By Kim Holmes and Barry Fonarow

Peace of Mind: Keeping Medical Records SafeHow secure are your patients’ data? Storing patient health records electronically may be an efficient solution to the antiquated paper filing system of the past, but despite the many upside perks (including financial incentives from the government to adopt electronic health records), a failure in your system that results in breached data may come at a hefty price.

As a psychologist, you understand that maintaining confidentiality between patient and therapist is core to your ability to practice. Suffering a data breach could not only cost you time and resources but could cost your professional reputation.

While federal and state laws vary, generally a data breach can occur when sensitive protected health information (PHI), including mental health records and personally identifiable information (PII), is accessed without authorization, which can occur through intentional or unintentional means.

According to a recent U.S. Department of Health and Human Services report, roughly 7.9 million people’s medical records have been exposed in 30,750 cases of health care-related data breaches since 2009 — a trend that is expected to continue.

The U.S. Congress first addressed individual privacy infringements in 1996 when they enacted the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules, which sought to set a national legislative standard for protecting electronic individual health information. The issue was revisited in 2009 with the signing into law of the Health Information Technology for Economic and Clinical Health Act (HITECH) — a piece of legislation that was introduced as part of the Patient Protection and Affordable Care Act (the “health reform” law) that amended HIPAA — giving it “teeth” for the first time in the form of potential civil monetary fines and penalties.

While HIPAA/HITECH now provides that fines and penalties may be incurred by a health care organization in the event of a breach (on a sliding scale ranging from $50,000 up to $1.5 million per violation for the most egregious breaches), whether and to what extent these fines and penalties may be levied is always a subjective assessment by the government. An organization’s preparedness to prevent a data breach and its timely and appropriate response to a breach are factors taken into account by the federal government in determining whether and to what extent fines and penalties will be assessed under HITECH.

In addition to lost and/or stolen laptops and other portable electronic devices, one of the largest causes of health care-related data breaches is employee negligence. For instance, in 2010 NewYork-Presbyterian Hospital at Columbia University Medical Center reported a data breach which resulted in 6,800 patients’ PHI, including 10 social security numbers, being accidentally posted on the internet by an employee.

Additionally, allowing access to information by third party vendors and service providers may add another layer of vulnerability that is often overlooked when identifying cyber security weak spots. From 2010 to 2011, the personal PHI pertaining to 20,000 patients who visited the emergency room at Stanford Hospital in Palo Alto, Calif., remained publicly accessible on an online homework help site following an incident with the hospital’s third party billing contractor.

In the event that a cyber-related data breach occurs, there are often far-reaching repercussions including reputational harm and financial burdens due to potential fines and penalties and civil and class action lawsuits. There may also be expenses related to privacy notification, credit monitoring, health records resolution services, crisis management and forensic investigation.

The first step to protecting against a cyber-related data breach is through education. Learn about the federal and state laws that could apply to your organization and understand the reporting and notification requirements that may apply in the event of a data breach. Utilizing best practices both in advance of and at the point of discovering a data breach may also position your organization to be viewed more favorably by a federal or state reviewing authority post breach.

With most health care organizations only allocating 2 percent to 3 percent of their IT budgets to cyber security, an all-inclusive plan will probably be a distant reality at first for most practices. However, being caught unaware and unprepared when a breach occurs could have catastrophic consequences that an organization may not be able to weather. Therefore, in addition to consulting with a trusted advisor such as a specialized privacy/data breach attorney or risk management consultant, following these few simple guidelines may help reduce the impact of a cyber-related data breach:

  • All portable/mobile electronic devices should be encrypted with data encryption software.
  • When outsourcing work, do your due diligence by researching the third party vendor or service provider’s data breach policies, whether and to what extent they have errors and omissions liability and/or cyber liability insurance in place, and seek to put in place a written indemnification agreement with all vendors and service providers.
  • Draft an internal incident response plan for data breaches and make it part of your organization’s culture. A clear plan outlining how to respond to a data breach within your internal organizational structure should help reduce the time between when a breach occurs and when it is appropriately responded to – all of which may place your organization in a more favorable light with an after-the-fact government audit or review of the data breach.
  • Consider the purchase of a cyber liability insurance policy to help weather the financial burden of the “when” not “if” of a data breach occurring.

Complete peace of mind concerning the subject of data breaches and cyber security is not something most organizations can enjoy these days. But, you may be more confident regarding the safeguarding of your patients’ protected health information against a data breach if you have put an appropriate response plan in place to help mitigate the potentially devastating financial and reputational impact a data breach can bring upon your organization.


Enhanced by Zemanta

8 Breach Prevention Tips

By Howard Anderson

8 Breach Prevention TipsWhat can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.

Here are eight key breach-prevention insights from information security thought-leaders:

1. Don’t Forget Risk Assessments

The details of the biggest breaches last year “make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches,” says Dan Berger, CEO at Redspin. “A comprehensive security risk assessment would have identified where PHI [protected health information] is stored, who has access to it and how it’s utilized in the normal workflow. The analysis would then investigate whether sufficient controls are in place.”

Because so many huge breaches have involved the loss or theft of mobile devices and media containing unencrypted PHI, Berger concludes that risk assessments were either not conducted or they failed to pinpoint that vulnerability. He urges organizations to conduct comprehensive assessments that take into account external and internal infrastructure, web applications and wireless security and lead to a mobile device policy and in-depth employee training.

2. Encrypt Mobile Devices, Media

“Even though encryption is what’s referred to as an addressable standard in the HIPAA security rule – which means it’s not actually mandated in all cases – I don’t see any reason why information shouldn’t be encrypted in all cases on portable media and devices,” says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. “That’s one step that organizations can take that can address a very significant share of the types of breaches that are occurring.”

In addition to making better use of encryption, organizations should consider limiting or banning patient data storage on mobile devices, many experts advise. For example, David Szabo, partner at the law firm Edwards Wildman Palmer LLP, says organizations should “reassess their policies about how much information employees really need to take off the premises. … The whole issue of portable devices is one that organizations really need to look at hard.”

3. Beef Up Training

“People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information,” Szabo stresses.

Timothy McCrystal, partner at the law firm Ropes & Gray, points out that the Department of Health and Human Services‘ Office for Civil Rights has stressed the importance of ongoing training in its resolution agreements with organizations that have experienced a breach.

“I have participated in discussions with OCR on a resolution agreement, and that was a particular point of focus – that the organization not just have policies and procedures, but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities.”

4. Conduct Internal Audits

In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.

“The belief that audit logs are being monitored and that there is a high risk that if you access a record improperly you will be caught through some sort of audit trail review can have a very important impact on behavior within an organization,” he notes.

5. Monitor Business Associates

About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it’s essential to work with vendor partners to ensure they’re taking adequate breach prevention steps.

McCrystal says it’s important to ask business associates probing questions before signing a contract. Those questions should include inquiries about the companies’ privacy and security policies, use of encryption and reliance on subcontractors.

Healthcare organizations “should actually implement an audit from time to time” to ensure business associates are adequately addressing security, McCrystal adds. “Some of our clients, when contracting with business associates, have conducted audits of their privacy and security practices in advance of entering into a contract.”

6. Limit Data Storage

Fred Cate, a law professor at Indiana University, says the recent breach affecting 24 million customers of Internet retailer raises an important question for security professionals in all industries: “Are you collecting and storing more data than you need? Because if you are, you’re taking on more risks then you need to face.”

In the incident, a hacker gained access to an unencrypted central database containing a wealth of customer information. In the healthcare arena, numerous major breaches have stemmed from massive unencrypted databases stored on laptops or backup tapes.

Ozzie Fonseca, senior director at Experian Data Breach Resolution, notes that about half of 500 organizations across all U.S. industries that have experienced a breach said in a recent survey that they subsequently took steps to limit personal data collected and limit sharing of the data with third parties. About 42 percent limited the amount of personal data stored.

“Collecting and storing unnecessary information is never a good idea,” Fonseca says.

7. Don’t Forget About Paper Records

Szabo points out that federal authorities fined Massachusetts General Hospital $1 million after an employee left paper medical records on a subway train. “We shouldn’t get too wrapped up in just thinking about computers and technical things – paper records can also be at risk simply because of the errors and omissions of employees,” he says.

8. Address Other Potential Vulnerabilities

Last May the HHS Office of the Inspector General issued a report based, in part, on audits of seven hospitals. Those audits, McCrystal notes, identified numerous technical vulnerabilities. “Five of the hospitals had wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless networks from internal wired networks … and no authentication requirements for entering wireless networks,” McCrystal says.

All of the hospitals had some access control vulnerabilities, including, for example, inadequate password settings and a lack of automatic log-off of inactive computers, he adds.

Some hospitals had certain audit log functions disabled. And others had uninstalled critical security patches, outdated anti-virus updates, operating systems that were no longer supported by the manufacturer and unrestricted Internet access for hospital users.

McCrystal advises hospitals to use the report to guide a self-audit to help identify vulnerabilities and reduce the risk of breaches – as well as help prepare for this year’s HIPAA compliance audits.


Enhanced by Zemanta