Are you taking steps to prevent data breaches?

Nov 01, 2017

"Urologists need to be ever more vigilant to protect the private information under their custodianship," writes Robert A. Dowling, MD.

Robert A. Dowling, MDIn 2015, I wrote a series of articles outlining privacy and security concerns for urologists in light of emerging evidence that health care organizations were being targeted for sensitive data (www.modernmedicine.com/tag/protecting-patient-data). Since then, the problem has continued if not worsened, and urologists need to be ever more vigilant to protect the private information under their custodianship. In this article, I will review some recent developments in this area and some steps that urologists can take to minimize their risk.

Breaches on the rise

The public’s attention was recently turned to breaches of private and sensitive information when the large credit bureau Equifax disclosed the exposure of private information on over 140 million Americans that may have been due to the actions of a single individual. According to the Identity Theft Resource Center (bit.ly/USbreaches), the number of reported data breaches tracked in the U.S. is on track for an all-time high in 2017 and an increase of 29% over 2016. One-third of those breaches in 2016 involved health/medical organizations, second only to the general business category, the center reports. Hacking is the leading cause of breach (63%) and has more than doubled as a percent of breaches since 2014 (bit.ly/Breachcause). This continued rise in activity could be due to hacking becoming easier, or to an increased awareness on the part of health care organizations of their responsibility to report, according to some industry experts (bit.ly/Healthbreaches).

Also by Dr. Dowling: You can deliver chronic care services; here’s how

The U.S. Department of Health and Human Services Office for Civil Rights (OCR), as required by the HITECH Act, publishes breaches of unsecured protected health information affecting 500 or more individuals on its portal/website (bit.ly/Breachlist). This author’s analysis of the incident data contained therein (health care-related breaches) reveals the following information related to data through September 2017 (annualized):

  • The most common type of covered entity reporting a breach is health care provider (80.1%). This category includes physician and hospital organizations, and is increasing as a percent of entities reporting a breach. Health plans (13.7%) and business associates (5.7%) were the next largest types.

  • Hacking/IT incidents were identified as the most common type of breach (43.0%) followed by unauthorized access/disclosure (34.5%), theft (15.7%), and loss (4.3%).

  • Somewhat surprising: The electronic medical record was only identified as the source of the breached information in 6.6% of cases, a fraction that has remained steady in the last 3 years. The most common location of breached information was email (23.6%), followed by a network server (21.7%), paper/film (14.0%), other portable device (4.6%), laptop (4.3%), and desktop computer (2.6%).

There are 12 organizations that can easily be identified as urology entities from the name of the covered entity in the HHS/OCR data (less than 1% of health care provider entities) since 2009. This includes one organization reporting a hacking incident involving a network server and 300,000 individuals in 2016, and four separate reports in 2017 (all unresolved at this writing) involving 300,036 individuals; two of those incidents also involved hacking a network server, and one was an unauthorized disclosure via email (939 individuals).

What are the consequences of suffering a data breach in your organization? Assuming you self-report as required by law, you may look forward to an investigation by the OCR that could result in civil monetary penalties, a corrective action plan, a resolution agreement, or even resolution without further action. The civil monetary penalties associated with a confirmed breach are significant and stipulated in law (bit.ly/Breachlaw). There are other potential costs: legal fees, damage to reputation, credit monitoring, and even civil litigation (bit.ly/Cybersecurityhealthcare). A breach could literally bankrupt a small medical practice.

Next: What you can do

 

What you can do

What lessons can urologists learn and apply from this information and these statistics? This is a very real risk to any organization, and as with any risk mitigation strategy, there are some general principles to follow:

Know the law, the rules, and the consequences. If you are a small organization, you should have access to an attorney with contemporary knowledge of this subject matter.

Engage an IT professional with experience in health care information technology. Like medicine, IT is highly specialized, and your employee or partner should understand the risks and prevention strategies specific to your business and your specialty. For example, is your urodynamic machine secure? This is a small example of specialty-specific issues that need to be considered.

Hold your vendors responsible for their contribution to your risk. Be certain that you have business associate agreements in place and reviewed regularly-this alone can constitute a violation.

Read - CMS financial data: Who is getting paid what?

Review common areas of vulnerability. The data reveal that most of the breaches originate in email. Have you formally trained your staff how to recognize a phishing attack? Do they know what procedures to follow to send protected health information via email? Paper/film is another area of risk. Do you have shredding practices firmly in place? Is there an opportunity to stop printing on paper altogether for certain functions? Is that fax machine printing instead of sending directly to a file folder? Do your physicians still insist on “printing the last progress note”?

Consider insuring for matters out of your control. The cyber insurance industry is in its infancy (bit.ly/Cyberinsurance), and the benefit/cost ratio is still being established. Your business insurance policy may include limited coverage for costs associated with a data breach, and you should understand what remaining risks exist.

Have a data backup plan in place and practice restoring it. This is not a simple matter, but it is an important strategy in the event of loss or loss of access (ransomware, for example).

Bottom line: Health care organizations are increasingly at risk for hacking attacks and breaches of sensitive information. Practicing in the modern era involves recognizing these risks, an active strategy of prevention and preparedness, and partnership with expert professionals in law and health information technology.

More from Urology Times:

What urologists can learn from EHR fraud case

Measure practice safety, quality with this DIY tool

Practice ‘report card’ tracks performance

Subscribe to Urology Times to get monthly news from the leading news source for urologists.