"Urologists need to be ever more vigilant to protect the private information under their custodianship," writes Robert A. Dowling, MD.
Robert A. Dowling, MDIn 2015, I wrote a series of articles outlining privacy and security concerns for urologists in light of emerging evidence that health care organizations were being targeted for sensitive data (www.modernmedicine.com/tag/protecting-patient-data). Since then, the problem has continued if not worsened, and urologists need to be ever more vigilant to protect the private information under their custodianship. In this article, I will review some recent developments in this area and some steps that urologists can take to minimize their risk.
The public’s attention was recently turned to breaches of private and sensitive information when the large credit bureau Equifax disclosed the exposure of private information on over 140 million Americans that may have been due to the actions of a single individual. According to the Identity Theft Resource Center (bit.ly/USbreaches), the number of reported data breaches tracked in the U.S. is on track for an all-time high in 2017 and an increase of 29% over 2016. One-third of those breaches in 2016 involved health/medical organizations, second only to the general business category, the center reports. Hacking is the leading cause of breach (63%) and has more than doubled as a percent of breaches since 2014 (bit.ly/Breachcause). This continued rise in activity could be due to hacking becoming easier, or to an increased awareness on the part of health care organizations of their responsibility to report, according to some industry experts (bit.ly/Healthbreaches).
Also by Dr. Dowling: You can deliver chronic care services; here’s how
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), as required by the HITECH Act, publishes breaches of unsecured protected health information affecting 500 or more individuals on its portal/website (bit.ly/Breachlist). This author’s analysis of the incident data contained therein (health care-related breaches) reveals the following information related to data through September 2017 (annualized):
There are 12 organizations that can easily be identified as urology entities from the name of the covered entity in the HHS/OCR data (less than 1% of health care provider entities) since 2009. This includes one organization reporting a hacking incident involving a network server and 300,000 individuals in 2016, and four separate reports in 2017 (all unresolved at this writing) involving 300,036 individuals; two of those incidents also involved hacking a network server, and one was an unauthorized disclosure via email (939 individuals).
What are the consequences of suffering a data breach in your organization? Assuming you self-report as required by law, you may look forward to an investigation by the OCR that could result in civil monetary penalties, a corrective action plan, a resolution agreement, or even resolution without further action. The civil monetary penalties associated with a confirmed breach are significant and stipulated in law (bit.ly/Breachlaw). There are other potential costs: legal fees, damage to reputation, credit monitoring, and even civil litigation (bit.ly/Cybersecurityhealthcare). A breach could literally bankrupt a small medical practice.
What lessons can urologists learn and apply from this information and these statistics? This is a very real risk to any organization, and as with any risk mitigation strategy, there are some general principles to follow:
Know the law, the rules, and the consequences. If you are a small organization, you should have access to an attorney with contemporary knowledge of this subject matter.
Engage an IT professional with experience in health care information technology. Like medicine, IT is highly specialized, and your employee or partner should understand the risks and prevention strategies specific to your business and your specialty. For example, is your urodynamic machine secure? This is a small example of specialty-specific issues that need to be considered.
Hold your vendors responsible for their contribution to your risk. Be certain that you have business associate agreements in place and reviewed regularly-this alone can constitute a violation.
Review common areas of vulnerability. The data reveal that most of the breaches originate in email. Have you formally trained your staff how to recognize a phishing attack? Do they know what procedures to follow to send protected health information via email? Paper/film is another area of risk. Do you have shredding practices firmly in place? Is there an opportunity to stop printing on paper altogether for certain functions? Is that fax machine printing instead of sending directly to a file folder? Do your physicians still insist on “printing the last progress note”?
Consider insuring for matters out of your control. The cyber insurance industry is in its infancy (bit.ly/Cyberinsurance), and the benefit/cost ratio is still being established. Your business insurance policy may include limited coverage for costs associated with a data breach, and you should understand what remaining risks exist.
Have a data backup plan in place and practice restoring it. This is not a simple matter, but it is an important strategy in the event of loss or loss of access (ransomware, for example).
Bottom line: Health care organizations are increasingly at risk for hacking attacks and breaches of sensitive information. Practicing in the modern era involves recognizing these risks, an active strategy of prevention and preparedness, and partnership with expert professionals in law and health information technology.
Subscribe to Urology Times to get monthly news from the leading news source for urologists.