Be Cybersecure: Protect Patient Records, Avoid Fines, and Safeguard Your Reputation
Cybercrime costs the U.S. economy billions of dollars each year and causes organizations to devote substantial time and resources to keeping their information secure. This is even more important for healthcare organizations, the most frequently attacked form of business.1 Cybercriminals target healthcare for two main reasons: healthcare organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.
Recent cyberattacks on large health insurance companies further demonstrate cybersecurity risks. On January 29, 2015, Anthem, the second largest health insurer in the United States, announced it was the victim of a sophisticated cyberattack that it believed happened over several weeks starting in December 2014.2 Reported as one of the largest attacks to date, the Anthem breach exposed the information of up to 80 million current and former members, including names, birth dates, Social Security numbers, healthcare IDs, and addresses.3 That same day, Premera Blue Cross discovered it was also a victim of a cyberattack, with an initial attack taking place in May 2014. Cybercriminals gained unauthorized access to the information of up to 11 million Premera customers dating back to 2002, ranging from birth dates and Social Security numbers to addresses and bank account information—the second largest breach, after Anthem, in the healthcare industry.4
The repercussions of security breaches can be daunting. A business that suffers a breach of unencrypted personal health information (PHI) must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied over $25 million in fines, with the largest single fine totaling $4.8 million.5 In 2014, U.S. healthcare data breaches cost companies an average of $314 per record—the highest of any industry.6
A healthcare organization’s brand and reputation are also at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.7
To help safeguard your systems, know the most common ways a breach occurs. The theft of unencrypted electronic devices or physical records is the most common method, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent). A breach in the latter category led to the largest OCR fine to date when two affiliated hospitals accidently made patient records public on the Internet.5
If you think you may not be fully compliant with HIPAA privacy and security rules, consider taking the following steps:
- Identify all areas of potential vulnerability. Develop secure office processes, such as:
- Sign-in sheets that ask for only minimal information.
- Procedures for the handling and destruction of paper records.
- Policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
- Encrypt all devices that contain PHI (laptops, desktops, thumb drives, and centralized storage devices). Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive. Encryption is the best way to prevent a breach.
- Train your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI.
- Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
- Insure. Make sure that your practice has insurance to assist with certain costs in case of a breach.
Learn more with The Doctors Company’s cybersecurity resources.
By David McHale, Senior Vice President and Chief Legal Officer, The Doctors Company
- Top 5 industries at risk of cyber-attacks. Forbes. May 13, 2016. http://www.forbes.com/sites/stevemorgan/2016/05/13/list-of-the-5-most-cyber-attacked-industries/#3c9320d33954. Accessed September 14, 2016.
- How to Access & Sign Up for Identity Theft Repair & Credit Monitoring Services. Anthem, Inc. February 13, 2015. https://www.anthemfacts.com. Accessed March 19, 2015.
- McCann E. Hackers swipe Anthem data in massive cyberattack. Healthcare IT News. February 5, 2015. http://www.healthcareitnews.com/news/hackers-swipe-anthem-data-huge-breach-attack. Accessed March 19, 2015.
- Miliard M. Premera Blue Cross hack exposes 11M. Healthcare IT News. March 18, 2015. http://www.healthcareitnews.com/news/premera-blue-cross-hack-exposes-data-11m. Accessed March 19, 2015.
- McCann E. Hospitals fined $4.8M for HIPAA violation. Government Health IT. May 9, 2014. http://www.govhealthit.com/news/hospitals-fined-48m-hipaa-violation. Accessed June 24, 2014.
- Ponemon Institute LLC. 2014 cost of data breach study: United States. May 2014. Study sponsored by IBM. http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis. Accessed September 10, 2015.
- Breaches affecting 500 or more individuals. U.S. Department of Health & Human Services. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. Accessed June 23, 2014.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.