In 2015, I wrote a series of articles outlining privacy and security concerns for urologists in light of emerging evidence that health care organizations were being targeted for sensitive data (www.modernmedicine.com/tag/protecting-patient-data). Since then, the problem has continued if not worsened, and urologists need to be ever more vigilant to protect the private information under their custodianship. In this article, I will review some recent developments in this area and some steps that urologists can take to minimize their risk.
Breaches on the rise
The public’s attention was recently turned to breaches of private and sensitive information when the large credit bureau Equifax disclosed the exposure of private information on over 140 million Americans that may have been due to the actions of a single individual. According to the Identity Theft Resource Center (bit.ly/USbreaches), the number of reported data breaches tracked in the U.S. is on track for an all-time high in 2017 and an increase of 29% over 2016. One-third of those breaches in 2016 involved health/medical organizations, second only to the general business category, the center reports. Hacking is the leading cause of breach (63%) and has more than doubled as a percent of breaches since 2014 (bit.ly/Breachcause). This continued rise in activity could be due to hacking becoming easier, or to an increased awareness on the part of health care organizations of their responsibility to report, according to some industry experts (bit.ly/Healthbreaches).
Also by Dr. Dowling: You can deliver chronic care services; here’s how
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), as required by the HITECH Act, publishes breaches of unsecured protected health information affecting 500 or more individuals on its portal/website (bit.ly/Breachlist). This author’s analysis of the incident data contained therein (health care-related breaches) reveals the following information related to data through September 2017 (annualized):
- The most common type of covered entity reporting a breach is health care provider (80.1%). This category includes physician and hospital organizations, and is increasing as a percent of entities reporting a breach. Health plans (13.7%) and business associates (5.7%) were the next largest types.
- Hacking/IT incidents were identified as the most common type of breach (43.0%) followed by unauthorized access/disclosure (34.5%), theft (15.7%), and loss (4.3%).
- Somewhat surprising: The electronic medical record was only identified as the source of the breached information in 6.6% of cases, a fraction that has remained steady in the last 3 years. The most common location of breached information was email (23.6%), followed by a network server (21.7%), paper/film (14.0%), other portable device (4.6%), laptop (4.3%), and desktop computer (2.6%).
There are 12 organizations that can easily be identified as urology entities from the name of the covered entity in the HHS/OCR data (less than 1% of health care provider entities) since 2009. This includes one organization reporting a hacking incident involving a network server and 300,000 individuals in 2016, and four separate reports in 2017 (all unresolved at this writing) involving 300,036 individuals; two of those incidents also involved hacking a network server, and one was an unauthorized disclosure via email (939 individuals).
What are the consequences of suffering a data breach in your organization? Assuming you self-report as required by law, you may look forward to an investigation by the OCR that could result in civil monetary penalties, a corrective action plan, a resolution agreement, or even resolution without further action. The civil monetary penalties associated with a confirmed breach are significant and stipulated in law (bit.ly/Breachlaw). There are other potential costs: legal fees, damage to reputation, credit monitoring, and even civil litigation (bit.ly/Cybersecurityhealthcare). A breach could literally bankrupt a small medical practice.