Six Tips to Improve Data Security for Independent Healthcare Practices
The healthcare industry is under attack, particularly independent practices like yours. Why? Because hackers and bad actors are looking for valuable “fullz” – full reports on people – and they know healthcare practices have that data. The bad guys also know physicians typically do not have enough in-house IT staff to protect their independent practice, so assume they are sitting ducks. In honor of National Data Privacy Day today, we are focusing on how NOT to be a sitting duck with six tips on improving your data security.
As an independent practice, you know that you are responsible if a healthcare breach occurs, resulting in fines to pay if you have been in violation. But do you know how much? According to a study conducted by the Ponemon Institute, a healthcare breach costs an average of $408 per record. For a practice of 2,000 patients – that equates to $816,000! The process of finding out that you even have a data breach takes on average 197 days and the average number of days to contain the breach is 69.
Just one look at the infamous “HIPAA Wall of Shame,” which is on the Department of Health and Human Services Breach Report portal, and you can see the magnitude of the problem – hacking/IT incident, unauthorized access/disclosure, theft, and loss. It’s a nightmare for a practice trying to focus on providing excellent patient care.
The 2019 Verizon Data Breach Investigation Report revealed important information for independent practices. What stood out the most is healthcare is the only industry where the number of threats caused by insiders (59%) was greater than those caused by external actors (42%). Breaches of medical information are 14 times more likely to be caused by doctors and nurses. Another key statistic – 81% of all healthcare cybersecurity incidents involved miscellaneous errors such as software misconfiguration, privilege misuse, or web applications. This is good news because it means that your independent practice can take steps to take the target off your back and lessen the chance of onerous fines.
We talked recently with Jesse Salmon, Kareo’s information security manager, and he offered some important tips on how practices can reduce the risk of a data breach.
- Perform a risk assessment. HIPAA requires practices to conduct a risk assessment to identify weaknesses in policies, procedures, and technology, including EHR systems. The problem for many independent practices is they have no idea how to begin. A good place to start is to review the Dept. of Health and Human Services Data Breach Report and look for practices that are similar to yours in size and specialty. Observe the nature of the breaches they’ve experienced because it probably represents a similar risk for your practice. For example, you’ll see multiple incidents involving e-mail. E-mail is a huge weakness for many independent practices. Ninety percent of malware arrives through e-mail, so your staff needs training on what not to open. But one of the biggest issues doesn’t even begin with the practice itself, but with patients who may disclose protected information when e-mailing staff. You should caution patients against e-mailing that kind of data and immediately destroy the e-mail. And no protected data should ever be stored or saved on an unencrypted, unprotected computer. If e-mail is dangerous, texting is worse. No text can be completely protected, so staff should be careful to never communicate sensitive data by text, even between themselves. Set up a secure patient portal and limit direct communications to patients through the portal.
- Train your staff on common scams. Related to the first point, train staff on how to avoid malware and phishing. Staff should be suspicious of attachments and web links, even if they are sent from someone they know. Poor grammar, misspellings or calls for urgent action can often be signs that a message isn’t legitimate. Practices can run tests on staff by sending fake phishing e-mails attempting to obtain patient information. This isn’t to get employees in trouble but to identify any gaps in training, process or procedures that can be addressed.
- Obtain cyber-liability insurance. Cyber-liability insurance protects healthcare practices in case sensitive patient information is compromised. It can cover legal costs and often can be included in overall healthcare practice insurance. One important tip: require any partners or vendors to provide certificates of insurance before gaining access to the EHR.
- Build security into business partner agreements. In addition to shoring up its own security processes, practices need to hold their vendors, partners and affiliated practices accountable for their security processes as well. Practices should include security process and system requirements and responsibilities in their business agreements with partners such as image processing services, billing and revenue cycle management companies, EHR system providers, and more to ensure all the correct procedures are in place.
- Use encryption on all devices. All sensitive data should be encrypted on all devices, including desktops, laptops, tablets and cell phones, to make unauthorized access more difficult. This is even more important as devices get smaller, more portable and easier to lose or steal. The good news is that today encryption is baked in and included on these devices for free. For example, BitLocker is on Windows devices and FileVault is on Mac. However, even though it’s included, it’s turned off by default, so you need to turn it on. Instructions for how to do this are readily available online.
- Choose a partner for added data security protections. To ensure that patient information is secure and protected against potential breaches, select a clinical and practice management platform that demonstrates a commitment to data security and maintains high-level security certifications, including HITRUST, AICPA Trust Criteria Security, Confidentiality and Availability, and NIST certifications. In addition, partners should conduct third-party audits to verify the requirements and framework are implemented correctly. More detailed information on what to look for to ensure data security on your protected health information can be found on Kareo’s security page.
For attackers, this is their job and their business model – it’s how they pay their bills. They aim to get as much information as possible on individuals, including first and last name, date of birth, current and previous addresses, credit card numbers and any protected health information, all of which you have, making you a target. These bad actors go after healthcare practices because they think you can be easy prey, but by implementing some smart steps and protocols you can reduce your risk and protect your patients’ critical data.