When hackers breached the computer system of the Anthem Inc. — the largest health insurer by market share in 82 of 388 metropolitan areas examined by the American Medical Association — they gained access to the personal information of tens of millions of customers and employees. Databases containing names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, employment information and even, potentially, income figures for up to 80 million people, were accessed by hackers, according to the Los Angeles Times.
After a long investigation, the Department of Health and Human Services (HHS) found that Anthem (then WellPoint, when the data-security breach occurred in 2010) did not adequately implement policies, procedures and software-security checks to protect unsecured electronic protected health information. The result was a major violation of the Health Information Portability and Accountability Act (HIPAA), and Anthem was slapped with a $1.7 million fine by HHS.
The largest fine settlement agreement to date for HIPAA violations went to New York-Presbyterian Hospital/Columbia University Medical Center — $4.8 million for a breach that led to exposure of patients’ medical records and test results. If it can happen to the big boys, it can happen to you. A recent analysis shows that 90% of health care organizations have exposed their patients’ data or had it stolen. In the wake of events like these, it’s a good time to pause for a refresher on some of the steps you need to take — beyond the standard firewalls and anti-virus software that should be installed — to secure the privacy of your patients’ medical, financial and personal data.
Paper records
Keep all paper medical records under lock and key and make sure only authorized personnel have access to them. Digitize and destroy records on an ongoing basis, to minimize the risk that records will become “lost in the shuffle,” resulting in exposure of patient information.
Electronic records
Don’t assume your electronic health records (EHR) vendor and health information technology (health IT) staff are simply upgrading security on a regular basis. When software is being installed or upgraded, ensure the following security features are in place: encryption, auditing functions, backup and recovery routines, unique user IDs and strong passwords, role- or user-controlled/restricted access controls, automatic timeout and provisions for emergency access. Train staff in appropriate use, including practical tips such as not writing down passwords, changing passwords regularly, logging out when done using the system, and making sure computer screens cannot be seen by unauthorized persons.
Portable devices
Work with your EHR vendor and health IT staff to ensure remote access to your systems can be secured — for example, if a physician wants to add notes to the patient record after hours from home, or if nurses need to email patients securely about upcoming appointments. Install and enable encryption on any portable device that will be used for purposes of accessing your protected health data. As such, it’s probably a good idea to restrict access to only those devices (mobile phones, laptops, tablet computers) issued by the organization for these purposes. These devices should also have remote wiping/disabling installed and activated, and should not be allowed access to file-sharing applications. It’s too easy to lose or leak data with the wrong touch or click.
Policy and procedure
Know how the backup and recovery system works, including where the documentation will be stored, how to retrieve it and how to test it. Back up data daily and test the recovery system regularly, perhaps at the same time as another important requirement, such as fire-safety checks. Have a policy in place to ensure staff are able to authenticate the identity of health IT staff who might work or make contact remotely.
Hackers are not going to stop trying to access healthcare data anytime soon. Criminal attacks on U.S. healthcare data are up 125% compared with 5 years ago, and hacks have replaced lost laptops as the leading threat to the security of healthcare information. In fact, 65% of healthcare organizations have experienced electronic information-based security incidents over the past 2 years, and yet they admit they’re not taking the steps to enhance and ensure protection of data, according to the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute, sponsored by ID Experts. It is critical to remain vigilant in the quest to safeguard your patients’ information — and, by extension, their privacy.