How to safeguard your patients’ information

Article

In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.

Robert A. Dowling, MDAccording to industry experts, nearly half of all Americans have had their sensitive health information compromised. In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.  

Related: Your patients’ personal information is at risk

In April 2014, the FBI Cyber Division issued a private industry notification entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” and concluded that health care organizations and medical devices are at significant risk for cyberintrusion and theft of personal information (http://bit.ly/FBIbreachreport). Among the FBI’s findings:

  • The health care industry is not as prepared for cyber attacks as the financial and retail sectors.

  • Virtual private networks, firewalls, routers, and especially medical devices are often compromised.

  • Cyber criminals charge $50 for a stolen electronic health record on the black market versus $1 for a stolen Social Security or credit card number.

  • Electronic health record theft is much harder to detect than “normal” identity theft.

In its 2015 “Industry Drill-Down Report-Healthcare,” Raytheon notes that the surge in cyber attacks on the health care industry may be driven by the value of the data: Health care records contain not only identity elements (name, date of birth, Social Security number, address, etc.) but also direct links to financial and insurance information for each patient record (http://bit.ly/Drilldown). Health care networks are often interconnected with devices and other large information systems (eg, insurance companies), making them an attractive target. Health care organizations may lack the technical and administrative resources necessary to combat advanced malware.

According to one private study, criminal attacks-including malicious insiders and/or paper files-are now the leading cause of data breaches in health care and may constitute a $6 billion epidemic (http://bit.ly/Breachstudy). Health care systems are high-value and poorly protected targets.

Next: Steps you should take

 

Steps you should take

What steps can a urology practice of any size take to confront this enormous privacy and security issue?

Raise awareness of the problem with your physicians and staff. They are important custodians of valuable information, and may not appreciate their role in prevention or unintentional facilitation of a crime.

Review your hiring practices and employee policy manuals. Criminal background checks, drug screening, and comprehensive applications are all standard practice in industries that permit employee access to sensitive information. Are they part of your business?

Also see: Watch out for these 7 common EHR mistakes

Conduct formal training for physicians and staff in privacy and security, including but not limited to HIPAA. Consult your malpractice carrier’s risk management division, which may offer this training for free. Any modest investment in prevention and training will pale in comparison to the cost of mitigating a recognized breach.

Review your business insurance policy for coverage of cybercrime-specifically the acts of an insider or intruder who gains access to records containing medical information.

Limit employees’ access to only that information required to perform their specific function.

Perform regular audits of routine access to information systems, and “break glass” access. (Break glass is a method to access a record that has security settings that would not normally allow that user access.) Unauthorized access to personal information should be specifically addressed in your employee handbook.

Next: Engage a certified IT professional to assess to assess your infrastructure, security practices

 

Engage a certified IT professional to assess your infrastructure, security practices, Internet service provider, and employee policies regarding the Internet. Managing a medical information technology environment is beyond the capability of amateurs and do-it-yourselfers; this is the cost of running a medical practice in today’s world.

Read: Extracapsular prostate cancer leads patient to sue

Review and minimize the paper inputs, storage, and outputs in your practice. Specifically:

  • Is your incoming mail adequately protected from theft?

  • Do not print items from your EHR or other information systems unless it is absolutely necessary. Reliance on paper for workflows in the practice carries substantial risk.

  • Routinely shred any paper, no matter how insignificant it may seem.

  • Do not leave documents containing sensitive information unsecured in a lab coat, on a desktop, or on a fax machine, scanner, photocopier, or elsewhere for an extended time.

  • Direct incoming faxes to a file or scan solution-do not print.

  • Remember that most copiers, fax machines, and scanners store information in memory, and that memory is easily accessible by cyber criminals. When replacing or discarding these devices, be sure the memory is erased in a compliant fashion.

Follow best practices for creating complex passwords, protect them, and change them regularly. This includes desktops, mobile devices, and virtual private networks, as well as those systems maintained by vendors who may have their own password requirements.

Next: Report any unauthorized access to the proper authorities

 

Report any unauthorized access of personal information to the proper authorities,including local law enforcement, the FBI, and others as appropriate. These entities collect important information that may detect threats and help prevent future intrusions.

Bottom line: Personal medical information needs to be accessible and shareable in order for physicians and others to render the best possible care to their patients. Criminals have taken advantage of this risk to make health care organizations the leading source of information breaches/theft in the United States. While the risk cannot be eliminated, sensible steps like the ones listed in this article can help mitigate the risk.

More from Dr. Dowling:

Do you know what your 'surgeon score' is?

CMS data offer insights into urologists’ pay

Social media: Why you need to be involved

Subscribe to Urology Times to get monthly news from the leading news source for urologists.

Related Videos
Anne M. Suskind, MD, MS, FACS, FPMRS, answers a question during a Zoom video interview
African American doctor having headache while reading an e-mail on laptop | Image Credit: © Drazen - stock.adobe.com
Man talking with a doctor on a tablet | Image Credit: © JPC-PROD - stock.adobe.com
Anne M. Suskind, MD, MS, FACS, FPMRS, answers a question during a Zoom video interview
Related Content
Female doctor working on a tablet | Image Credit: © NINENII - stock.adobe.com

How to bill for performing complex urodynamics

April 23rd 2024
Article

"To answer this question, one must know what is and is not included in the global payment for the UDS, and the definition and instructions for appropriate use of modifier 25," write Jonathan Rubenstein, MD, and Mark Painter.

Health policy in urology: 2024 AUA Advocacy Summit recap

Health policy in urology: 2024 AUA Advocacy Summit recap

March 21st 2024
Podcast

In this episode of Speaking of Urology®, Eugene Rhee, MD, MBA, and Logan Galansky, MD, discuss key topics in health policy and recap the AUA's recent Annual Urology Advocacy Summit.

Woman doctor doing medical billing at computer | Image Credit: © Andrey Popov - stock.adobe.com

Coding for bladder catheterization via a Monti channel

April 8th 2024
Article

"Use code 51702 for the routine insertion of an indwelling bladder catheter, such as a Foley," write Jonathan Rubenstein, MD, and Mark Painter.

How APPs can bridge the gap in urologist shortages

How APPs can bridge the gap in urologist shortages

August 28th 2023
Podcast

In this episode, Janelle Bunce, PA-C, highlights the role that advanced practice providers can play in filling the gaps created by the growing workforce shortages in urology.

Person using calculator and taking notes | Image Credit: © Nuttapong punna - stock.adobe.com

Potential code for prior authorizations on AMA CPT Editorial Panel meeting agenda

March 28th 2024
Article

"Good public and economic policy must align costs, benefits, and incentives; currently, all costs are incurred by physician practices, and all financial savings and benefits from prior authorization accrue to health insurance plans, leading to perverse incentives,” says Alex Shteynshlyuger, MD.

Expert discusses the potential for telesurgery in urology

Expert discusses the potential for telesurgery in urology

March 23rd 2024
Article

"The implications for urology, and every specialty, are immense. It does improve care, and it helps the patient. I think this is what it will be, it just may take some time," says Vipul Patel, MD.

© 2024 MJH Life Sciences

All rights reserved.