While newsmaking cyberattacks often involve external hacks, many breaches result from mistakes made within the practice.
During each of the past three years, covered entities paid more than $20 million in HIPAA fines. While a handful of major breaches made headlines-most notably Anthem’s $16 million mistake-small practices can’t afford to be complacent about security.
The more negligent a healthcare organization is found to be at the time of a HIPAA violation, the higher the penalty. According to the U.S. Department of Health and Human Services, fines can range from $100 to $50,000 per violation or record, with a maximum penalty of $1.5 million per year for each violation.
For physician practices, even minor penalties can take a major financial toll. And that’s where the trouble just begins.
“More importantly for practices, a breach could impact their business continuity,” says Robert Tennant, director of health information technology (HIT) policy for the Medical Group Management Association. The loss of one month’s worth of claims data, for example, could cause significant disruption and potential loss of revenue, he notes.
Another significant risk to medical practices is damage to their reputations, says Matthew Fisher, JD, a partner with Mirick, O’Connell, DeMallie & Lougee LLP, in Massachusetts. Once you’ve had a HIPAA breach, the name of your practice is listed permanently on the Office for Civil Rights’ Wall of Shame-including the offense, date, and number of individuals affected. “It does have an impact in terms of patients wanting to continue with the provider,” Fisher says.
There’s also the ongoing cost of providing credit monitoring to affected patients for at least a year, as required by HIPAA, as well as the mental anguish of having to respond to a government investigation, whether a fine is issued or not, adds Fisher.
As a result, preventing breaches of protected health information should be viewed by practices as a business imperative, says Tennant, adding that security depends on continually asking the question, “What if?”
The list of scenarios to consider is nearly infinite: a phishing attack, sending a fax to the wrong number, losing an unencrypted thumb drive, as well as threats that have yet to evolve.
Conduct a rigorous a risk assessment
The best way to identify a practice’s key vulnerabilities is by conducting a baseline risk assessment, which has been required of practices since the HIPAA Security Rule went into effect. HHS is vague as to when and how often covered entities must conduct risk assessments-they recommend it be done ‘regularly’-but experts suggest performing this assessment at least annually.
“The risk analysis is going to give you a pretty comprehensive overview of your weaknesses, and is really going to help frame out how you’re going to implement all the different security policies,” says Fisher. Nonetheless, it’s a step practices often skip. “For incidents that result in a settlement of monetary fine, almost every time, there’s either a missing risk assessment or an inadequate risk analysis,” he says.
For practices that don’t have the necessary in-house technical expertise, it can be worth the cost to outsource at least part of the project, experts say. A third party may also give a more accurate assessment by looking at a practice’s systems with true objectivity, notes Fisher. He recommends getting an outside perspective every three to four years.
And if a breach does occur, a thorough risk assessment as well as written policies and procedures will help the practice defend itself against penalties, Fisher says.
Emphasize security fundamentals
While major cyberattacks involving ransomware or other external hacks draw headlines, many breaches result from mistakes made within the practice.
“The human component is the most difficult to secure,” says Michael Yamamoto, chief information security officer for Beth Israel Deaconess Medical Center in Boston. “We have 23,000 employees. If a hacker asked everybody what their passwords are, then there’s probably somebody who’s going to tell them.”
Yamamoto recommends that healthcare organizations of all sizes focus cybersecurity training around the basics of everyday work life. “Fundamentally, a lot of security comes down to people’s passwords,” he says. “If somebody gets that password, they’re in.”
To keep hackers at bay, he recommends using long passwords with at least 12 characters, and different passwords for every place a user logs in. To keep track of them all, he advises using a password manager, which is a software application that stores and manages a user’s passwords for all their various online accounts and security features. This tool stores the passwords in an encrypted format, which the user accesses with a master password.
Fisher also recommends that practices require multi-factor authentication, such as a password and a fingerprint, whenever possible.
Another best practice is to instruct individuals not to access medical records they don’t need to perform their job. “People probably don’t realize they’re perpetuating data breaches when they enter a record that they really have no clinical reason to be in. We tell people they can’t look in their own medical records or those of family members outside of the due course of their jobs,” Fisher says.
Finally, physicians must take cybersecurity training seriously and keep their knowledge up to date by really listening to the education their employers provide, says Rebecca Grochow Mishuris, MD, MPH, associate chief medical information officer for Boston Medical Center and an assistant professor of medicine at Boston University School of Medicine.
“There are new threats coming out all the time that we have to address,” she says. “It’s not enough to say you learned it three years ago. Three years ago, things were very different than they are now from a data security standpoint.”
For example, phishing attacks have become much more sophisticated in recent years. “It’s not like the email from the prince in Nigeria anymore. It’s an email that looks like it came from your institution,” says Mishuris, a general internist at Boston Medical Center. So anyone using the practice’s email system needs to be aware that the practice will never ask for a password over email, or a link that requires the user to sign in, without verbal warning.
A strong spam filter will catch most emails falsely claiming to be from the practice or other trusted entities, but it’s critical that all users learn to recognize a potentially dangerous email and what to do about it.
Practices must make it clear to all clinicians and staff that if they click on a bad link, open a suspicious attachment, or make another security-related mistake that they will not be disciplined-and that reporting incidents is crucial, Mishuris says.
The sooner a potential breach is discovered, the sooner an organization can take steps to stop or minimize the damage, such as securing the employee’s password and sending a blast email to describe the threat to the rest of the staff and instruct them on what to do if they receive it. To that end, individuals must be trained in reporting procedures, which typically involve notifying IT via a dedicated email address of phone number, she explains.
“It’s important that the practice culture not penalize reporting, but promote behaviors that help find gaps and make improvements,” Mishuris says. Early detection that allows time to intervene in a breach is essential to limiting a practice’s liability when security incidents occur, she says.
Security and privacy officials at Beth Israel Deaconess employ several tactics to instill good security habits throughout the organization, but a common thread is an effort to make messaging memorable, says Yamamoto.
For example, the organization has distributed bags of Swedish Fish candy with accompanying information about phishing, he says. Yamamoto has also been filmed holding a fishing pole in an educational video about the same topic.
“We try to use a story-based approach, using funny or [silly] things that will help people stop for a moment and think about what they’re doing,” he says. “When you’re so busy pushing things out, it’s really easy to perpetuate a major problem.
Give HIT some TLC
Finally, HIT systems themselves need regular attention to operate securely, using outside help if necessary, says Yamamoto. It is especially important to install software updates when they are released and make sure antivirus software is adequate and up-to-date.
“Keep those things up with some tender loving care, and you’ll be in pretty good shape,” he says.