Healthcare is changing at a rapid pace as provide endeavor to maintain maximum efficiency while navigating a technology-rich environment.
But as a result of their reliance on electronic data, chiropractic practices have become vulnerable to cybersecurity threats.
The growing volume and sophistication of cyberattacks suggest that practices will have to grow increasingly vigilant to ward off these threats. A breach of cybersecurity will inevitably lead to significant expenses, both financial and reputational, which can wreak havoc on a practice.
Tempting targets
Many practice owners believe cyber-criminals do not pose a significant threat to them. However, when choosing between a large corporation or bank with security teams and
firewalls preventing access to databases and a practice with no firewall or security team, the practice could be the chosen target. In fact, many hackers specifically target small chiropractic offices because a small practice may not have sophisticated security nor enforce employee security policies.
Why would you be a target for cyber criminals? Your practice holds a vast amount of data, including the names, health history, addresses, birthdates, social security numbers, and even banking information of hundreds—perhaps thousands—of patients.
The threat of this information being stolen by a staff member or a cybercriminal is great, and a practice owner must address these concerns before a theft creates a legal nightmare.
Daunting penalties
Healthcare organizations make up roughly 33 percent of all data security breaches across all industries, and the healthcare industry is the most-breached industry in the U.S. According to the U.S. Department of Health and Human Services, almost 21,000,000 health records have been compromised since September 2009.
It has been shown human error causes the majority of personal health information data breaches, and the actions of healthcare employees cause three times as many breaches as external attacks.
The most common causes of data breaches in healthcare organizations are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper disposal of records. A significant proportion of healthcare breaches are the result of lost or stolen mobile devices, tablets, and laptops.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to maintain the privacy of patient health information and to take security measures to protect this information from abuse by staff members, hackers, and thieves. The penalties imposed on healthcare providers for HIPAA violations are great. Monetary penalties can range from a fine of $100 to $50,000 per violation, with a $1,500,000 maximum annual penalty.
In addition to the federal fines, practice owners may face penalties imposed at the state level as well as lawsuits filed by disgruntled patients whose health information has been compromised.
Steps toward security
It is crucial to take the necessary steps to ensure your practice is in compliance with HIPAA provisions regarding computer security. Because the majority of data security breaches occur when staff members fail to follow office procedures or exercise poor judgment, the location of the computers within the practice is key.
All computers should be placed in areas where the monitor screens are not visible to patients and visitors, and strong passwords should protect access to each computer. Passwords should contain mixed-case letters and include numbers or symbols, and they should be changed regularly.
In addition, passwords should not be written down under keyboards or kept on surfaces where the public may be able to access them. Provide training to ensure that all your staff members understand the importance of maintaining the privacy of patient health information.
Every practice should have a policy that includes steps for safeguarding patient information and educates staff members as to how to comply with the office policy. A strict internet and computer-use policy should be enforced that prohibits staff members from checking personal email accounts or visiting internet sites that are not work-related.
Concurrently, ensure all firewalls, operating systems, and hardware and software devices are up-to-date, strong, and secure, and that wireless networks are shielded from public view.
Antivirus software should be installed on every computer and updated regularly.
When accessing office data remotely, you and your employees should use trusted Wi-Fi hot spots and never use shared computers. Smartphones and tablets should be password protected to prevent easy access to patient information in case the device is lost or stolen.
In addition, all hard copies of documents with patient information should be shredded. Finally, to ensure that your practice is HIPAA compliant, data transmitted to payers, health plans, and other healthcare providers may need to be encrypted to ensure that a hacker will not have access to this data while it is in transit.
Remediation measures
Because practices are subject to heightened government enforcement and the scope of fines and penalties for data breaches has increased, many practice owners have relied on cyber insurance for protection in the event of a data breach. These insurance policies cover the cost of investigating a theft, compensate the insured for all state and federal fines and penalties imposed, and fund all related lawsuits and legal fees, thus relieving practice owners of the burdens resulting from a data breach.
It would be prudent, then, to invest in data security and in the proper training of your staff members as to the acceptable use of office computers. If plans and policies are put in place proactively and steps are followed to ensure HIPAA security compliance, your practice should be able to prevent the significant costs and headaches involved in responding to a cyber- theft.
If a security breach does occur, it is imperative you take appropriate action immediately, which includes deter- mining how the breach occurred and the extent of the damage. In addition, immediately following a security breach should one occur, be very careful whom you initially contact to provide information. Any improper or accidental disclosure to a third party other than your practice’s legal counsel could be subject to the rules of discovery if litigation occurs, which could increase your liability exposure.
Stuart J. Oberman, Esq., is founder and president of Oberman Law Firm, a midsize practice in the Atlanta area. Practicing law for more than 23 years, he handles a range of legal issues for chiropractors, including employment law, cybersecurity, practice sales, real estate transactions, lease agreements, OSHA compliance, chiropractic board complaints, and professional corporations. He can be contacted through obermanlaw.com.
