Data breaches of protected health information (PHI) are a growing problem. A December 2012 report by the Ponemon Institute found that 94 percent of healthcare organizations surveyed reported at least one breach in the past 24 months.
While the majority of data breaches are unintentional, attacks by cybercriminals pose an increasing risk. A cybercriminal can be anyone using a computer to steal data or disrupt operations. While the media tends to focus on gangs of cybercriminals operating from overseas, the threat by insiders such as ex-employees is also growing.
Some individuals seek data they can sell; others may be looking to obtain illegal prescriptions. Today’s cybercriminals have new and different motivations, approaches and goals.
A medical office can present a tempting target because it houses many individual patient records (often with Social Security numbers) and may have a billing system with direct access to bank accounts and stored credit card information.
While most small medical practices lack a full-time IT professional who can run daily security checks or manage sophisticated security programs, there are five simple steps you can take to reduce your vulnerability.
1. Implement basic security procedures.
One very basic but often overlooked practice is to forbid staff from displaying passwords in public. This includes passwords written on tape on laptops or sticky notes attached to PCs. In addition, all passwords should contain combinations of letters, numbers and symbols.
Another simple step is to make sure you have in place both a network firewall and an anti-virus system. All major operating systems include a firewall and most Internet service providers (e.g., Verizon) provide firewalls on their routers for office-based Wi-Fi service.
Anti-virus programs are relatively inexpensive and prevent many common attacks; however, they don’t offer protection against sophisticated viruses, which can spread in hours before the vendors have a chance to push-out fixes.
2. Conduct a risk analysis.
Under current HIPAA law, all covered entities (e.g., physician offices, hospitals) are required to conduct a risk analysis. Conducting a risk analysis is also included as part of attesting for meaningful use incentives. As part of a risk analysis, the Department of Health & Human Services (HHS) expects organizations to develop and implement safeguards to manage the identified risks. Most recently the department issued new rules to modify the HIPAA privacy, security and enforcement rules and heighten the requirements for healthcare organizations.
What should a risk analysis include? HHS has referenced as a guideline the standards set by the National Institute of Standards Testing (NIST) in its publication 800-30. Click here to access that publication.
According to the NIST standard, the key purposes of a risk assessments are to identify “relevant threats” to the organization, “vulnerabilities, both internal and external,” impact and “likelihood that harm will occur.”
3. Encrypt all at-rest (stored) medical data.
Your patient records are the core of your business; they should receive the highest level of protection.
According to the American Medical Association, physicians should encrypt “any systems and individual files” containing PHI. This includes EMRs, medical images, claims payments and emails containing PHI.
Physical encryption is a very reliable way of protecting data. The highest level commercially available is AES 256-bit encryption -- the standard used by the U.S. military. Some computer operating systems offer their own encryption and it is also available as a separate, add-on software system. However, most security experts recommend self-encrypting storage hardware for two reasons: First, cybercriminals can easily hack into most operating systems; second, employees can forget to turn on encryption software.
With physical encryption the key to securing your data remains in your own hands by using an encryption key, generally the size of a thumb drive. The key is kept separate from the storage unit. Inserting the proper key into the device is the only way that data can be accessed.
4. Do not store PHI on smartphones.
Smartphones have many potential uses in medicine; unfortunately they are easily lost or stolen. The average cell phone user loses a phone once every 18 months.
For small medical groups, the easiest solution is to prevent mobile devices from access to its network data. If staff clinicians need to work from remote locations, an office manager can contract with a third-party to make sure that any medical data accessed remotely is encrypted.
5. Encrypt data on laptops and storage devices.
The Ponemon Institute survey found that the biggest single source of data breaches (46 percent) was “loss of equipment” including laptops, desktops and portable storage disks. Laptops continue to pose a major security threat because they are in such widespread use and can store large amounts of patient files.
One simple, user-friendly, affordable option is to store PHI on a portable, encrypted external hard drive instead of storing it directly on the laptop. For example, a small external hard drive (about the size of an iPhone) that is hardware-encrypted cannot be accessed without the physical key and the content wouldn’t be able to be accessed if lost or stolen.
All portable storage backup discs (such as those connected to a server) should be encrypted, even if they are stored in a locked cabinet. Note that “wiping” a storage disk prior to disposal is not 100 percent secure. A sophisticated criminal can easily retrieve data from an erased or wiped disk.
Jerry Kaner, CEO of Los Angeles-based Ciphertex, has consulted for the FBI and U.S. Secret Service on data encryption and recovery.