How to safeguard your patients’ information

Nov 01, 2015

In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.

Robert A. Dowling, MDAccording to industry experts, nearly half of all Americans have had their sensitive health information compromised. In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.  

Related: Your patients’ personal information is at risk

In April 2014, the FBI Cyber Division issued a private industry notification entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” and concluded that health care organizations and medical devices are at significant risk for cyberintrusion and theft of personal information (http://bit.ly/FBIbreachreport). Among the FBI’s findings:

  • The health care industry is not as prepared for cyber attacks as the financial and retail sectors.

  • Virtual private networks, firewalls, routers, and especially medical devices are often compromised.

  • Cyber criminals charge $50 for a stolen electronic health record on the black market versus $1 for a stolen Social Security or credit card number.

  • Electronic health record theft is much harder to detect than “normal” identity theft.

In its 2015 “Industry Drill-Down Report-Healthcare,” Raytheon notes that the surge in cyber attacks on the health care industry may be driven by the value of the data: Health care records contain not only identity elements (name, date of birth, Social Security number, address, etc.) but also direct links to financial and insurance information for each patient record (http://bit.ly/Drilldown). Health care networks are often interconnected with devices and other large information systems (eg, insurance companies), making them an attractive target. Health care organizations may lack the technical and administrative resources necessary to combat advanced malware.

According to one private study, criminal attacks-including malicious insiders and/or paper files-are now the leading cause of data breaches in health care and may constitute a $6 billion epidemic (http://bit.ly/Breachstudy). Health care systems are high-value and poorly protected targets.

Next: Steps you should take

 

Steps you should take

What steps can a urology practice of any size take to confront this enormous privacy and security issue?

Raise awareness of the problem with your physicians and staff. They are important custodians of valuable information, and may not appreciate their role in prevention or unintentional facilitation of a crime.

Review your hiring practices and employee policy manuals. Criminal background checks, drug screening, and comprehensive applications are all standard practice in industries that permit employee access to sensitive information. Are they part of your business?

Also see: Watch out for these 7 common EHR mistakes

Conduct formal training for physicians and staff in privacy and security, including but not limited to HIPAA. Consult your malpractice carrier’s risk management division, which may offer this training for free. Any modest investment in prevention and training will pale in comparison to the cost of mitigating a recognized breach.

Review your business insurance policy for coverage of cybercrime-specifically the acts of an insider or intruder who gains access to records containing medical information.

Limit employees’ access to only that information required to perform their specific function.

Perform regular audits of routine access to information systems, and “break glass” access. (Break glass is a method to access a record that has security settings that would not normally allow that user access.) Unauthorized access to personal information should be specifically addressed in your employee handbook.

Next: Engage a certified IT professional to assess to assess your infrastructure, security practices

 

Engage a certified IT professional to assess your infrastructure, security practices, Internet service provider, and employee policies regarding the Internet. Managing a medical information technology environment is beyond the capability of amateurs and do-it-yourselfers; this is the cost of running a medical practice in today’s world.

Read: Extracapsular prostate cancer leads patient to sue

Review and minimize the paper inputs, storage, and outputs in your practice. Specifically:

  • Is your incoming mail adequately protected from theft?

  • Do not print items from your EHR or other information systems unless it is absolutely necessary. Reliance on paper for workflows in the practice carries substantial risk.

  • Routinely shred any paper, no matter how insignificant it may seem.

  • Do not leave documents containing sensitive information unsecured in a lab coat, on a desktop, or on a fax machine, scanner, photocopier, or elsewhere for an extended time.

  • Direct incoming faxes to a file or scan solution-do not print.

  • Remember that most copiers, fax machines, and scanners store information in memory, and that memory is easily accessible by cyber criminals. When replacing or discarding these devices, be sure the memory is erased in a compliant fashion.

Follow best practices for creating complex passwords, protect them, and change them regularly. This includes desktops, mobile devices, and virtual private networks, as well as those systems maintained by vendors who may have their own password requirements.

Next: Report any unauthorized access to the proper authorities

 

Report any unauthorized access of personal information to the proper authorities,including local law enforcement, the FBI, and others as appropriate. These entities collect important information that may detect threats and help prevent future intrusions.

Bottom line: Personal medical information needs to be accessible and shareable in order for physicians and others to render the best possible care to their patients. Criminals have taken advantage of this risk to make health care organizations the leading source of information breaches/theft in the United States. While the risk cannot be eliminated, sensible steps like the ones listed in this article can help mitigate the risk.

More from Dr. Dowling:

Do you know what your 'surgeon score' is?

CMS data offer insights into urologists’ pay

Social media: Why you need to be involved

Subscribe to Urology Times to get monthly news from the leading news source for urologists.