With all the focus on data privacy within the healthcare industry — headlines telling of the latest organization to suffer a data breach seem to appear almost weekly — medical practices should be masters of the data protection basics.
But as we look at the details of recent exposures, it's clear that some hospital systems and physician practices are still falling behind on the fundamentals.
To help bolster data security practices, we've outlined five things that continue to put medical practices at risk for a breach. These are some of the gaps cyber criminals love to exploit, but the good news is that the solutions are almost universally low tech and among the easiest to implement.
Read through the list and see if your organization is making these data protection mistakes.
1. Lack of employee training
Employees usually receive standardized training on health and billing procedures, but too few are instructed on proper data protection practices. Training must include awareness regarding HIPAA requirements and system protocols. Education should also cover social engineering issues, such as the dangers of sharing login credentials or using weak passwords. More garden-variety risks should also be taught, so that employees aren't the wobbly link in the security chain. Adequate training around the identification of suspicious network or other activity is crucial, as is the ability to recognize and avoid potentially dangerous e-mail attachments, links and compromised websites.
Not only are well-trained employees less likely to commit a breach-inducing error themselves, they're also much better able to spot potential security lapses by others. When something is awry in a practice where employees have received adequate privacy training — shred bins that would normally await the destruction company's monthly visit are being emptied by the nightly janitorial crew, for example — they're able to identify the problem and bring it to the attention of the practice managers. If users report concerns with the practice's patient-facing web portal, employees with privacy training know to contact the IT staff or outside consultant to look into the situation. Early detection and remediation of potential security issues is crucial in mitigating breach risks.
2. Business associates with a weak security posture
One glaring area of concern lies in the business associate realm, where trusted partners aren't always as stringent in their privacy practices as they should be. As a healthcare provider, your organization still holds responsibility for data managed by its business associates. Many healthcare firms outsource disciplines such as medical billing tasks and transcriptions. Even EHR systems are very often installed and maintained by an integrator who helps the practice get the most out of their investment.
Some of these outsourced tasks are done as a way to cut costs. Often it's an expertise issue—someone outside the organization is better able to do the work than an inside employee. No matter the reason, every one of these outside partners must abide by the responsibilities set out for them under HIPAA. Conducting robust research as part of the BA selection process is one task healthcare providers should take very seriously. In addition, every BA contract should be include appropriate language about privacy requirements and breach response expectations. Be sure your BAs take data protection as seriously as you do.
3. Vendors with too much access
Healthcare organizations both large and small rely on a bevy of third-party providers to keep the business running. Many of these aren't considered BAs, but instead focus on operational issues outside the PHI realm. They may be anything from payroll processors to HVAC contractors. In every case, the ability of these outside parties to access protected data must be carefully managed. Vendors should have access only to the information assets necessary to carry out their respective tasks. Employee benefits administrators likely don't require the use of the practice's EHR system. Mechanical contractors shouldn't have access to patient billing records.
To ensure a breach doesn't occur, sensitive data should occupy its own place in the network, away from the information used for daily operations and ongoing management of the organization. This data segregation is a crucial component in maintaining appropriate security around protected information. Close monitoring of vendor access levels, and modifying or removing access when a vendor's work is complete, will also help to ensure that no one is able to gain entry to data outside their area of responsibility.
Practices must also keep in mind that paper records are just as sensitive as their electronic brethren. Patient files left on desks — where anyone from other patients to the cleaning crew could potentially see them — are no more secure than an EHR system with free Internet access. Paper documents must be secured against unauthorized viewing, and they must also be disposed of properly. All sensitive waste materials should be destroyed in a manner that renders it indecipherable.
4. Unused security tools
In many practices, basic and freely available data privacy and security protocols are used intermittently or not at all. The current breed of practice management and EHR systems have encryption and security features built in—many are even used as selling points during demonstrations. But the reality is that practices are often slow to deploy them. Administrators may need to dig into their systems to see how to bolster security, but the features that are included should be enabled and utilized. Remember, too, that health records aren't the only datasets that must be protected within a practice's systems. Billing information and financial data should also be covered under the data security umbrella.
Another basic security gap that raises its head far too often is the vast amount of data leaving practices on unsanitized printers, fax machines, photocopiers, and old computer equipment. Most of these devices have hard drives that may still contain patient health data, financial records, or perhaps information on past and current employees or contractors. Devices that have been used to access EHR systems could still retain data artifacts. In all cases, the information stored within these machines must be properly dealt with before the equipment is disposed of or, in the case of leased assets, returned to the leasing company.
5. Weak mobile security
The number of mobile devices used within medical practices is skyrocketing. Physicians and practice staff rely on a host of portable equipment — smartphones, tablets and thumb drives among them — to gather, input, store and access PHI and other sensitive data. Unfortunately, these go-anywhere gadgets aren't always well protected.
Strong passwords, for example, provide a fantastic layer of security for mobile devices. However, many employees don't adopt them and many organizations don't require them. The data residing on mobile devices is often unencrypted, leaving it open to anyone who is able to gain physical control of the device. Together these factors make for an especially dangerous scenario considering mobile phones and laptops are favorite targets of parking lot prowlers and street thieves.
A mobile device containing unencrypted PHI and no password protection is a veritable gold mine of valuable data. Passwords are easy to use and free to implement. Encryption technology is also simple to deploy and many versions are low or no cost. With the amount of PHI available on many devices, practices must treat them with the same care and caution they apply to servers and desktop computers.
In addition, simply using mobile devices can open practices up to a breach. Mobile workers often use unprotected access points—in airports, hotels, coffee shops—to connect back to the network, a scenario that's fraught with security concerns. This is both a training issue and a technology issue. First, employees must know how to identify and avoid suspicious connections that may make their communications vulnerable to cyber criminals. Next, the devices themselves must be hardened against this type of off-premise attack. Up-to-date anti-virus software must be active on the device and any sensitive data should be encrypted to protect against theft.
Eduard Goodman is chief privacy officer for IDT911, a provider of identity protection solutions, identity theft recovery services, breach services and data risk management solutions.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.