While all of us recognize the advantages of an electronic record in the respect of data retrieval, the risk has become greater because many practices do not secure their network.
Editor’s Note: Welcome to Medical Economics' blog section which features contributions from members of the medical community. These blogs are an opportunity for bloggers to engage with readers about a topic that is top of mind, whether it is practice management, experiences with patients, the industry, medicine in general, or healthcare reform. The series continues with this blog by Carol Gibbons, RN, BSN, NHA, who is CEO of CJ Consulting, which specializes in healthcare revenue cycle management. The views expressed in these blogs are those of their respective contributors and do not represent the views of Medical Economics or UBM Medica.
Last week a physician contacted me about setting up a small family practice in Austin Texas. The practice will be all cash pay and the physician will not have any insurance contracts, having already been down that route in the past. The approach for the practice would be that the physician would see patients in the office or at home, and patient data would not be electronic so it would never be shared on the internet. With the current publicity about medical businesses experience with ransomware and data hacks, the marketing will focus on the safety of patient information.
Further reading: Physician-designed EHRs work better for doctors
That caused me to do some research on how much a medical chart goes for on the “dark web.” It was a very enlightening process and gave me a marketing nugget for the practices that I deal with who are still on paper charts. In fact, I was in one of those practices recently and the owner’s wife was adamant about them NEVER utilizing electronic records and putting their patients at risk of identity theft.
While all of us recognize the advantages of an electronic record in the respect of data retrieval, the risk has become greater because many practices do not secure their network. They do no emphasize training their staff on how to prevent phishing attacks that result in a hack of their data bases. We see new fines disclosed every month on healthcare operations that did not comply with HIPAA Security regulations. A number of these breaches have been caused by third party vendors who have access to your data remotely, but do not protect their own network sufficiently.
I found the perfect example of this situation in a blog called Krebs on Security, by Brian Krebs. Tenet Health Hilton Medical Center had a breach of about 10,000 records, but the breach came through a company called In Compass. The breach was actually of a subcontractor for In Compass called PTS Services, which was a subsidiary of McKesson. This was a billing service that failed to protect a server and left the data open to a Google search for four months.
Popular online: Top 10 workplaces for PCPs to earn higher salaries
The moral of this story is that you should limit the number of companies that have access to your data and do your yearly due diligence through your HIPAA Security audit in verifying their network protection. All business associates should be able to give you a list of all their subcontractor companies that will also have access to your data. As I started advising clients to ask for this information last year, they have discovered a web of companies that have access to their information whom they know nothing about.
Next, I looked at the current value of a medical chart on the dark web. It did not take much research to find security businesses that have blogs and articles about items being sold on the dark web. A complete chart with a copy of driver’s license and insurance card can go for as much as $1,000 to thieves setting up a new identity for someone. On average, however, medical charts can be obtained fairly inexpensively. I found a recent article from Trend Micro that showed you could purchase a single identity with insurance card for under $10. If the record includes a driver’s license, the cost increases to $170.
The real money is in purchasing an entire database. An EHR database can go for as much as $500,000, and who knows how many times the data can be sold. According to an article by Cyber Scoop, there is so much data available on the dark web, the price per complete chart has dropped from $75 to $100 in 2015 to the current price range of $20 to $50.
If you have been a victim of identity theft as my husband was, you know that the cost of repairing your credit is much more than the actual theft. I am sure that many of you already contract with a company to assist you in monitoring your personal accounts to prevent theft, but what have you done for your business? Who is monitoring those accounts regularly to make sure they have not been accessed? What about that line of credit that you rarely use? How long would it take for you to notice if someone accessed that account and transferred money out? When was the last time you changed the password on your commercial business accounts, and do you have a list of people who have access to those accounts?
The bottom line is that the healthcare business owner is where the buck stops both operationally and financially. A major breach could bankrupt a business through fines and a loss of business. One of the things I researched while investigating the cost of a chart on the dark web was to see if there were identity theft products that were geared to businesses and found multiple companies that do so. I encourage you to check them out and enlist the same protections for your company that you would to protect your personal identity.
Popular on our site: Top 10 tips to unlock telehealth's potential in your practice
The business owner also needs to review business insurance and evaluate coverage for cyber theft. I recently looked at a couple of business policies and saw that they only had $20,000 to $50,000 in coverage. That is not nearly enough for a healthcare business that can be fined by the chart that is affected. This insurance is reasonably priced and I advise on at least $1 million in coverage. Look at the number of medical practices that have paid fines between $500,000 and $750,000 to help you decide on the amount of coverage you need. Many malpractice policies also provide some coverage for cyber theft, which could combine with your business insurance coverage.
The most important things to take away from this analysis of the cost of medical charts on the dark web is that your focus must be on prevention all the time.
· Ask your business associates who their subcontractors are and what is their process to evaluate the security of the network for those businesses.
· Educate your staff regularly on internet security in your office. That means more than once a year.
· Change passwords for all your accounts when an administrative person leaves your employment. You may need to invest in a password management product to assist you in keeping up with all your passwords, but frequently changing your passwords is an essential protection.
· Make sure that all terminated employees also lose their access to your software and your website.
· Investigate identity theft protection for your business and insurance to cover a data breach.
· Enlist a trusted company to monitor your network and prevent breaches of your data. That company should also be able to back up data and provide restoration services to get you back in business in the event of a data breach.
Diligence in protecting your data is the best defense against data breaches, but you also need to protect your business against the errors of others that may have access to your data. Staff education can organize all of your employees into an army focused on defending the security of patient data in your practice.