Nearly every day, it seems, the media report a massive cyberattack on a healthcare organization. Nevertheless, most physician practices still don’t safeguard their electronic patient information properly.
News accounts of security breaches tend to focus on big healthcare systems, but that doesn’t mean that small and medium-sized practices are safe. In fact, cyber thieves view poorly protected medical records in these practices as easy pickings.
“Lots of hackers target smaller businesses because they won’t have the necessary expertise on staff to fully secure their system,” says Gerard Nussbaum, JD, an independent healthcare consultant based in Chicago.
Practices often lack basic security policies and procedures, allow staff members to share passwords, and fail to turn on or properly configure the security features of their electronic health record (EHR) systems. In addition, many practices fail to perform security risk assessments, despite a requirement to do so under the Health Insurance Portability and Accountability Act (HIPAA).
Here are 10 steps that experts say can help practices defend their protected health information (PHI) and their businesses from cyber criminals.
Do a security risk assessment
Besides being required by the HIPAA security rule, security risk assessments must be performed annually to meet the criteria of the Meaningful Use EHR incentive program and Medicare’s new Merit-based Incentive Payment System (MIPS).
If a consultant is required, a security risk assessment can cost several thousand dollars, says Lee Kim, JD, director of privacy and security for the Healthcare Information Management and Systems Society (HIMSS). There are also costs for security risk mitigation, Nussbaum points out. For example, practices might have to buy extra software to supplement their EHR’s security tools, which may cover only some aspects of security.
Online guides from HIMSS and the
Office of the National Coordinator for Health IT (ONC) can help practices perform security risk assessments. Even small and medium-sized practices can do this, says Mike Sacopulos, JD, president of the Medical Risk Institute in Terre Haute, Indiana. However, he advises hiring a consultant for the initial evaluation if the practice has never done one before.
Under the HIPAA security rule, patient data should be encrypted whenever possible. Any current certified EHR can perform this task.
Experts agree that while encryption is essential, practices should not rely on this approach alone—or on other technical fixes such as antivirus programs and firewalls—to defend the privacy and security of data. The weak point of encryption is that it relies on protecting access to the system, says Mac McMillan, chief executive officer of security firm CynergisTek. If a password is stolen, for example, the thief can use that password to access data, whether or not it is encrypted.
More than 80% of security breaches,
Sacopulos says, result from human factors. While few practice staffers would steal PHI, they could unwittingly introduce malware into a practice network by falling for phishing emails or other tactics.
In many cases, security training can prevent those kinds of breaches, he says. Practices can buy online HIPAA security training or get free training from some hospitals and medical societies.
Control system access
Access control, a key component of security, takes different forms depending on a practice’s network and how its EHR and practice management system are hosted.