In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.
Robert A. Dowling, MDAccording to industry experts, nearly half of all Americans have had their sensitive health information compromised. In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.
In April 2014, the FBI Cyber Division issued a private industry notification entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” and concluded that health care organizations and medical devices are at significant risk for cyberintrusion and theft of personal information (http://bit.ly/FBIbreachreport). Among the FBI’s findings:
In its 2015 “Industry Drill-Down Report-Healthcare,” Raytheon notes that the surge in cyber attacks on the health care industry may be driven by the value of the data: Health care records contain not only identity elements (name, date of birth, Social Security number, address, etc.) but also direct links to financial and insurance information for each patient record (http://bit.ly/Drilldown). Health care networks are often interconnected with devices and other large information systems (eg, insurance companies), making them an attractive target. Health care organizations may lack the technical and administrative resources necessary to combat advanced malware.
According to one private study, criminal attacks-including malicious insiders and/or paper files-are now the leading cause of data breaches in health care and may constitute a $6 billion epidemic (http://bit.ly/Breachstudy). Health care systems are high-value and poorly protected targets.
Next: Steps you should take
What steps can a urology practice of any size take to confront this enormous privacy and security issue?
Raise awareness of the problem with your physicians and staff. They are important custodians of valuable information, and may not appreciate their role in prevention or unintentional facilitation of a crime.
Review your hiring practices and employee policy manuals. Criminal background checks, drug screening, and comprehensive applications are all standard practice in industries that permit employee access to sensitive information. Are they part of your business?
Conduct formal training for physicians and staff in privacy and security, including but not limited to HIPAA. Consult your malpractice carrier’s risk management division, which may offer this training for free. Any modest investment in prevention and training will pale in comparison to the cost of mitigating a recognized breach.
Review your business insurance policy for coverage of cybercrime-specifically the acts of an insider or intruder who gains access to records containing medical information.
Limit employees’ access to only that information required to perform their specific function.
Perform regular audits of routine access to information systems, and “break glass” access. (Break glass is a method to access a record that has security settings that would not normally allow that user access.) Unauthorized access to personal information should be specifically addressed in your employee handbook.
Next: Engage a certified IT professional to assess to assess your infrastructure, security practices
Engage a certified IT professional to assess your infrastructure, security practices, Internet service provider, and employee policies regarding the Internet. Managing a medical information technology environment is beyond the capability of amateurs and do-it-yourselfers; this is the cost of running a medical practice in today’s world.
Review and minimize the paper inputs, storage, and outputs in your practice. Specifically:
Follow best practices for creating complex passwords, protect them, and change them regularly. This includes desktops, mobile devices, and virtual private networks, as well as those systems maintained by vendors who may have their own password requirements.
Next: Report any unauthorized access to the proper authorities
Report any unauthorized access of personal information to the proper authorities,including local law enforcement, the FBI, and others as appropriate. These entities collect important information that may detect threats and help prevent future intrusions.
Bottom line: Personal medical information needs to be accessible and shareable in order for physicians and others to render the best possible care to their patients. Criminals have taken advantage of this risk to make health care organizations the leading source of information breaches/theft in the United States. While the risk cannot be eliminated, sensible steps like the ones listed in this article can help mitigate the risk.
Subscribe to Urology Times to get monthly news from the leading news source for urologists.