Healthcare Practice Strategies - Spring 2016 - Data Security: Protecting Patient Data Is Your Responsibility
There was a time when a locked file cabinet was all that was needed for “data protection.” Today, the profusion of digital data at the practice level requires a much more involved and vigilant approach.
Small medical practices — just like small businesses and mom-and-pop retailers — are particularly appealing targets to data thieves trolling for Social Security numbers and credit card information. These practices often lack the advanced technology to deter attacks and typically do not have dedicated IT staff keeping a watchful eye.
The Stakes Are High
Unfortunately, patient privacy laws cut providers no slack. HIPAA legislation pins the blame for data breaches squarely on “covered entities” — doctor’s offices, health insurers and hospitals. Fines can range from $100 to $50,000 per violation, with maximum fines reaching $1.5 million in cases where willful neglect can be proven as a cause for the breach.
Furthermore, the HITECH Act requires that patients affected by a data breach be notified and that any data breach involving more than 500 patients be reported to that state’s media outlets. Obviously, any breach that is made public could have a serious impact on your reputation.
Set a Watchman
The reality is that medical practices need to act as their own watchdogs and protect their patients and themselves from the dangers of a data breach. Consider these key steps for protecting patient data:
Create a culture of data security. If there is no dedicated data security team, data security must become the job of everyone in the practice. Create a formal data protection policy and provide continuous training on security best practices. Also create an incident response plan that outlines the steps to take (and who will take them) in the event of a data breach. Here, you can turn to a third-party contractor for help.
Guides to developing data security policies and procedures are available from the American Medical Association, the American Academy of Family Physicians and the American Dental Association. Finally, give your policies some teeth by establishing consequences for violations (e.g., verbal/written warnings, unpaid suspensions, termination).
Develop a data retention plan. Obviously, the less data flowing through the pipes, the less likely the chance of springing a leak. A basic data retention policy that outlines what data should be kept, where it should be stored and for how long can help ensure that you don't keep more data than needed.
Put someone in charge. HIPAA requires practices to name a security officer as the point person for implementing data security regulations. Assign security to one person — preferably someone with real authority, such as a doctor or office supervisor — and give him or her the resources and time to do the job. This may include conducting a risk analysis, creating procedures and policies, training employees and ensuring that all computers are kept up to date with security patches.
Encrypt appropriately. Under the HITECH Act, loss of encrypted data is not considered to be a data breach. Make sure all back-up hard drives, the network and any hardware (laptops, flash drives, smart phones, etc.) are encrypted to at least 178 bits.
Control access. Consider giving administrators login and authentication on computers and networks at your practice, including controlling access and validating privileges.
Assess risk. Utilize the free HIPAA Security Risk Assessment Tool to ensure compliance with HIPAA’s administrative, physical and technical safeguards.
Ultimately, digital data is a boon for improving healthcare delivery. But it certainly ups the ante for hackers and thieves to steal valuable personal information — making data security critical for your practice.
Data Breaches That Made the News
It’s not just Target and the IRS that are getting hacked these days. Healthcare providers of all sizes are experiencing data breaches, including these:
- Hollywood Presbyterian Medical Center in Los Angeles agreed to pay the equivalent of $17,000 in bitcoins to regain control of its computer systems after the facility was hacked in a “ransomeware” attack.
- Former employees allegedly breached data systems at an Owensboro, Ky., medical group, stealing information from about 3,000 patients to start their own business.
- Radiology Regional Center, PA, in Fort Myers, Fla., was forced to notify patients of a data breach when paper records containing personal information were accidentally “released” by its records disposal vender while en route to the destruction facility.
Healthcare Practice Strategies - Spring 2016