Microsoft's Southeast headquarters in Charlotte, N.C., hosted an InfraGard seminar where former Whitehouse CIO, Theresa Payton gave some interesting statistics. New forms of Malware are found ever 90seconds (most re-engineered) and anti-virus programs only catch a third of them. Two-thirds of breaches are due to human error with ninety percent of them coming from clicking on a bad link.
Although these stats are chilling, the recent increase of hackings has many providers and medical professionals fearing the use of digital communications with patients. While the benefits of using EMR's and devices such as apps, and iPads are grand (consistency in care, faster dissemination of information for treatment, etc...), the risks are daunting with infraction penalties ranging from fines up-to $1.5 million annually (per violation), to imprisonment for up-to 10 years. The recent Community Health Systems (CHS) breach total cost are estimated to be as high as $150 million. Experts are anticipating these costs to continue rising. Jerome B. Meites, Chief Regional counsel for the Office of Civil Rights stated, the crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months.
This rise in fines and the rise of seeking out infractions are causing quite a stir and much like a bad check on the wall of a restaurant, perpetrators can find their dirty laundry aired on a much larger scale-a digitally public wall of shame.
The FBI extended warnings earlier this year to healthcare firms stating they are being targeted by hackers for increased cyber invasions for financial gain. So how do you steer clear of leaking patient data with savvy hackers who are directly targeting healthcare organizations?
IMAGINE Software's Systems Specialist and cyber security guru, Jeff Smith offered some tips to help keep your patient data safe:
1. Get Rid of Old Data
- Implement Digital shredding strategy for old data (EOB's, charge reports, patient checks, HCFA's, etc...) in your network. Ensure old data that is not needed is discarded.
2. Analyze Your Network Traffic
-Have your IT team create a baseline so you know your normal traffic vs suspect traffic so you can spot anomalies.
3. Have a Crisis/Backup Plan
-Practice worst case scenario planning so that if a beach does occur in your organization, you will have a plan for how each department responds. Have a plan on how your communication team responds, who gets involved from the legal team ect...
4. Educate Your Staff on Best Practices
-Spread awareness of security risks and issues to your company. Educate your staff on the importance of not sharing passwords or leaving them on desks, the need for changing passwords frequently, not clicking on links, locking computers when away, and reporting suspicious links or activity.
5. Know Your Laws and What's New
-Stay up to date on laws; specifically HIPAA. If doing business internationally or across state lines, there are new laws for how data is kept. It's key that you understand the HIPAA Security Rule.
6. Conduct a Security Risk Analysis
a. This includes Administrative Safeguards (staff training, staff access to data, termination procedures etc...), Physical Safeguards (protection of the equipment, locked doors, surveillance cameras, and protection of the facility where equipment is housed), and Technical Safeguards (protection of the integrity of your office's computer network, user identification, automatic logoff, data encryption etc...) .
b. The application is available for downloading at www.HealthIT.gov/security-risk-assessment and will also produce a report that can be provided to auditors. According to the U.S. Dept. of Health & Human Services, "By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data."
For more info on HIPAA Violations & Enforcements: Visit American Medical Association: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
Susan D. Hall ( June 16, 2014) OCR attorney predicts spike in HIPAA fines. Retrieved from http://www.fiercehealthit.com/story/ocr-attorney-whopping-hipaa-fines-you-aint-seen-nothin-yet/2014-06-16
Lynn Sessions, Kimberly M. Wong and Cory J. Fox (June 13, 2014) HHS Attorney: Major HIPAA Fines and Enforcement Coming. Retrieved from http://www.dataprivacymonitor.com/enforcement/hhs-attorney-major-hipaa-fines-and-enforcement-coming
Marianne Kolbasuk McGee (April 23, 2014) FBI Issues Healthcare Cyber-Alerts. Retrieved from http://www.healthcareinfosecurity.com/fbi-issues-healthcare-cyber-alerts-a-6779
U.S. Department of Health & Human Services. Breaches Affecting 500 or More Individuals. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
U.S. Department of Health & Human Services. Summary of the HIPAA Security rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html