 |
Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape (HIPAA Journal, June 11, 2019)
This is a headline from just one of hundreds of articles I’ve collected over the last eight years and is proof of what all of us should be willing to accept: As an industry, retina specialists are a prime target for individuals and organizations with no moral compass.
I have well over 30 years’ experience in information technology but gave up selling or performing any kind of IT service when I saw, firsthand, how practices were struggling to understand this previously unexperienced environment. This background allows me to help practices understand where they’re vulnerable technically. The problem is, one of the most prevalent problem isn’t usually technical, and that has been a truth since the beginning of electronic patient data.
The three flavors of data threats
Here are two more headlines to ponder:
OCR – Healthcare Organizations Unaware of Privacy Regulations (Fierce Health IT, April 26, 2013)
Study Reveals Healthcare Industry Employees Struggling to Understand Data Security Risks (HIPAA Journal, April 30, 2018)
These articles came five years apart, but there’s apparently a very consistent problem. Here’s what health-care attorney Marla Hirsch said in her 2016 article for Fierce Healthcare:1 “What’s even more concerning is that inside employees were responsible for more than half of November’s breaches, a notable increase from past months.” Another article noted that repeat offenders caused 30 percent of health-care data breaches in the second quarter of 2018.2 Tech Republic reported earlier this year that employee errors are a larger threat to data security than hackers or insiders.3
So, while this makes it seem that the greatest problem is at the employee level, it’s important to remember that threats come in three flavors: administrative; physical; and technical. So is there anything a practice can use to get a handle on where it may be exposed to threats?
Security risk analysis
The SRA first appeared in the HIPAA Security Rule, but because this was six years before the introduction of Meaningful Use, there was little fanfare regarding the required process. Even worse was the fact that many believed it only related to practices participating in Medicare and Medicaid. The simple truth is, if an entity creates, maintains, transmits or receives confidential patient information in any electronic format, HIPAA requires it to have an SRA.
When an SRA is conducted the way the Office of the National Coordinator for Health Information Technology intended, this requirement is a simple two-step process that addresses all three of the areas described above, posing questions that help the practice to determine its current footprint related to security and compliance regarding patient data. And yet, the failure to perform the SRA has been a leading cause of HIPAA violations since 2012.
In 2011, the first year of meaningful use, Congress ordered an audit of participating practices to determine the program’s efficacy. Congress authorized 150 audits, but the process stopped at 115 because the audits had already disclosed 980 HIPAA violations. The most prevalent violation was the failure to have the SRA performed. Today, in an overwhelming majority of cases where penalties are assessed by the Department of Health and human Services, one of the failures is not having performed the SRA. One medical imaging company paid a $3 million settlement for exposing more than 300,000 patient health records. One of the violations HHS cited was a failure to conduct a risk analysis.4
 |
 |
Three things an SRA evaluates
Space won’t allow me to go into depth on the SRA, but here are things that every practice can afford to do in regard to the three essential elements, and the SRA evaluates all of them:
Obtain a personalized policies and procedures manual. Don’t be foolish and buy templates off of the internet. You are expected to have policies that directly reflect the way you run your practice. Generalized policies will do nothing but back you into an indefensible corner. Then, make sure every one of your employees reads the manual. (How can you expect them to help you protect the practice if they don’t understand the responsibilities you’re required to meet?)
Make sure all your employees get training. This should not only address HIPAA, but also introduce employees to phishing and other forms of malware attacks. Use a program that tests them afterward, and don’t accept the kind of test a 4-year old could guess at and pass.
A true firewall is the single most important piece of tech you can own. They’re not that expensive, but don’t accept the device your internet provider installs and tells you “this is your firewall/router, so you’re protected.”
I’m a golf buff—not any good, but I love the game—but if you’ve ever learned anything about the game you would have heard the name Ben Hogan. He said something that is only 10 words long and each word only has two letters, but I can’t think of anything that rings truer for each of us in this industry today: “If it is to be – it is up to me.”
A good place to start is with the SRA. Learn from it and grow from there. RS
REFERENCES
1. Hirsch M. 2016 a Banner year for EHR security breaches. Fierce Healthcare. December 29, 2016. Available at: https://www.fiercehealthcare.com/it/feature-2016-banner-year-for-ehr-security-breaches
2. Davis J. 142 healthcare data breaches in Q2, 30% caused by repeat offenders. Healthcare IT News. August 9, 2018. Available at: https://www.healthcareitnews.com/news/142-healthcare-data-breaches-q2-30-caused-repeat-offenders
3. Sanders J. Employee mistakes and system errors are a larger threat to data security than hackers or insiders” TechRepublic. March 26, 2019. Available at: https://www.techrepublic.com/article/employee-mistakes-and-system-errors-are-a-larger-threat-to-data-security-than-hackers-or-insiders/
4. Press release: Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients’ protected health information. Department of Health and Human Services; Washington, DC. May 6, 2019. Available at: https://www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html
