First published in Managed Healthcare Executive | June 30, 2015 | By Jeff Brunken
How to protect your organization against a HIPAA breach
Here’s the sad truth about information systems: Very few of them are safe from hackers. If cyber criminals can read President Obama’s unclassified email, if foreign hackers can affect the screening of a major motion picture, and if an international ring of hackers can steal $1 billion from more 100 banks by—in part—causing ATMs to spew money onto sidewalks, then few IT systems are completely secure.
We’ve learned this lesson over the past few months and years as cyber criminals have collected credit card information from Home Depot, Neiman Marcus, Target, and from how they got millions of patients’ records from Anthem, CareFirst, and Premera. Clearly, healthcare organizations need to be prepared. The question, then, is: What steps should we take now to prepare?
Having adequate insurance coverage is a good place to start, for a couple of reasons. First, adequate coverage that is tailored to fit a healthcare organization and that has appropriate liability limits makes sense for any business today. Second, all healthcare companies regardless of size need to be prepared to respond quickly.
A data breach makes all consumers, including patients and health plan members, extremely vulnerable. Once a breach occurs, consumers whose financial data and personal health information (PHI) are in the hands of criminals could lose thousands or even millions of dollars. But also they could lose something of much more value: peace of mind. In addition, healthcare organizations have become prime targets because patient data has an even higher street value than other personal information. Last year, experts estimated that data from one patient was worth about $10 to a criminal, an amount that was 10 to 20 times higher than what one credit card number would fetch.
For all these reasons, it’s vital for those responsible for storing and securing patients’ and health plan members’ financial and health information respond quickly.
Given that many healthcare providers maintain all three types of protected data—personal credit information personal identification information , and PHI—the opportunity for hackers to access all three types, and especially PHI, makes all healthcare providers and insurers attractive targets.
The longer we wait to inform patients and members, the more time criminals have to wreak havoc on bank accounts, credit cards, and to use medical information to their advantage. Retail breaches usually are limited to the theft of credit card or bank card data. In healthcare, we are more vulnerable to cyber crime because there are so many enterprises of various sizes, from small physician groups to the largest health insurers, and each one is a target. Each physician group and each healthcare organization regardless of size is linked to larger companies, such as hospitals and insurers, and to smaller companies, including systems vendors and other healthcare providers. At each location in the chain, from a small threemember doctor group to a major national corporation, we’ve made IT systems easier to hack by allowing access to as many providers as possible so that physicians can see patients’ data from last week, last month, and last year.
Also, we’ve granted patients wider access to their data through online portals that let them view their electronic health records easily from any device, including handheld tablets and smartphones. Improving access for patients and connecting more devices to networks makes it easier for criminals to gain access too. What’s more, providers have been converting millions of patients’ paper records to electronic data over the past few years. While those paper records were inconvenient and easy to lose, they were at least more secure than electronic medical charts, a factor that might make physician groups the most vulnerable of all entities in healthcare.
Not only is the data in today’s EHRs accessible to hackers, but many physician offices are in various stages of upgrading their EHR systems to comply with federal meaningful use regulations. While they’re putting these systems in place, few physicians are worrying about installing comprehensive data security systems.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), physician groups and healthcare organizations of all sizes are responsible for ensuring that all business associates have secured their information systems. Keep in mind that third party business associate vendors cause a large percentage of data breaches. So, for many reasons, it’s a dangerous time for anyone running a physician’s office.
Having adequate cyber coverage will go a long way toward mitigating the damage of a breach. Some policies automatically add cyber coverage to their typical malpractice insurance policies that often include services to take over the response function for the insured. Such offerings are important because they allow any healthcare organization to deliver a fast, thorough, and appropriate response as soon as possible after a cyber hack of any kind. A quick response is vital to retaining the respect of your customers and vendors In addition, your coverage should allow you to offer all of your patients and employees credit monitoring for at least six months if not longer. And the coverage should help patients and employees notify all of their credit card issuers. Your current cyber coverage might already include the services of a breach consultant who can advise you and—more importantly advise your patients or health plan members—about the steps to take to protect their data after a breach.
Just having someone to consult with on such a treacherous issue could be enough to calm your nerves and those of your patients or plan members as well.
Jeff Brunken is the president of the MGIS Companies, Inc., in Salt Lake City, Utah.