Editor’s Note: which features contributions from members of the medical community. These blogs are an opportunity for bloggers to engage with readers about a topic that is top of mind, whether it is practice management, experiences with patients, the industry, medicine in general, or healthcare reform. The series continues with this blog by Carol Gibbons, RN, BSN, NHA, who is CEO of CJ Consulting, which specializes in healthcare revenue cycle management. The views expressed in these blogs are those of their respective contributors and do not represent the views of or UBM Medica.
Last week a physician contacted me about setting up a small family practice in Austin Texas. The practice will be all cash pay and the physician will not have any insurance contracts, having already been down that route in the past. The approach for the practice would be that the physician would see patients in the office or at home, and patient data would not be electronic so it would never be shared on the internet. With the current publicity about medical businesses experience with ransomware and data hacks, the marketing will focus on the safety of patient information.
Further reading: Physician-designed EHRs work better for doctors
That caused me to do some research on how much a medical chart goes for on the “dark web.” It was a very enlightening process and gave me a marketing nugget for the practices that I deal with who are still on paper charts. In fact, I was in one of those practices recently and the owner’s wife was adamant about them NEVER utilizing electronic records and putting their patients at risk of identity theft.
While all of us recognize the advantages of an electronic record in the respect of data retrieval, the risk has become greater because many practices do not secure their network. They do no emphasize training their staff on how to prevent phishing attacks that result in a hack of their data bases. We see new fines disclosed every month on healthcare operations that did not comply with HIPAA Security regulations. A number of these breaches have been caused by third party vendors who have access to your data remotely, but do not protect their own network sufficiently.
I found the perfect example of this situation in a blog called Krebs on Security, by Brian Krebs. Tenet Health Hilton Medical Center had a breach of about 10,000 records, but the breach came through a company called In Compass. The breach was actually of a subcontractor for In Compass called PTS Services, which was a subsidiary of McKesson. This was a billing service that failed to protect a server and left the data open to a Google search for four months.
Popular online: Top 10 workplaces for PCPs to earn higher salaries
The moral of this story is that you should limit the number of companies that have access to your data and do your yearly due diligence through your HIPAA Security audit in verifying their network protection. All business associates should be able to give you a list of all their subcontractor companies that will also have access to your data. As I started advising clients to ask for this information last year, they have discovered a web of companies that have access to their information whom they know nothing about.