Determine whether your electronic health records security and privacy concerns are keeping you in or out of compliance
Before 2018 was ended there were 1,138 verified data breaches according to the Identity Theft Resource Center, leaving almost 562 million records exposed. Of these, 29.3% — or 334 breaches in total — involved the unauthorized access of medical and/or health care records.
Therefore, one question all health care professionals should ask themselves is whether their electronic health records security and privacy concerns are valid and if records are adequately protected. If not, it is likely to cost you — in many ways.
The costs of a data breach
The IBM-sponsored 2018 Cost of a Data Breach study reports that the average cost of a data breach is $3.86 million, an amount that is up 6.4% over the year before. This breaks down to roughly $148 per individual record lost or stolen.
Not adequately protecting your office’s sensitive data can harm your practice in other ways as well. For instance, if patients fear that you won’t adequately protect their private information, they may choose another chiropractic practitioner instead.
While many health care providers take this issue seriously, data protection experts indicate that there are some challenges often faced when it comes to providing adequate levels electronic health records security and privacy.
Staying current with laws and regulations
“Medical practices are finding it difficult to stay on top of all the recent laws and regulations surrounding data security and data breach notification for their clients,” shares Victor Congionti, Chief Information Officer and co-founder of Proven Data, an online data recovery service. “As legislation continues to evolve here in the United States (and globally), medical facilities need to be aware of all the recent security laws as they come into place to ensure their compliance and provide the best service.”
The Healthcare Information and Management Systems Society indicates that there are two types of security standards health care providers must follow with regard to protecting sensitive data: those that cover health information that is shared electronically, and technical security standards.
Health information shared electronically
The Health Insurance Portability and Accountability Act (HIPAA) falls under the first type and is designed to protect patients’ privacy, with the HIPAA Security Rule addressing ways health care practitioners can safeguard health information shared electronically.
The U.S. Department of Health & Human Services (HHS) elaborates that, under HIPAA, healthcare providers must:
- Ensure that all electronic health records that are created, maintained, or transmitted are kept confidential;
- Protect the integrity and security of confidential data against any reasonable threat, impermissible use, or disclosure; and
- The practitioner’s entire workforce must be in compliance with this standard.
Meeting these requirements involves instituting administrative safeguards such as developing a security management process, assigning security personnel, instituting information access management, performing workforce training in security processes, and evaluating protocol regularly to ensure that you’re always in compliance.
To stay up-to-date on HIPAA requirements, it helps to regularly peruse industry publications like the HIPAA Journal. For instance, on Jan. 31, the journal shared all of the expected updates and changes for 2019, such as those related to potentially removing the requirement for written confirmation of privacy practices and possible expansion of clearinghouses’ access to protected health information or PHI.
Additionally, if a breach occurs, each state has its own laws regarding notifying those involved. The National Conference of State Legislatures provides links to each one, giving you access to the procedures you must follow in your individual state in the event that unauthorized persons gain access to your private data.
Adhering to technical standards
Technical standards refer to safeguards health care providers can take in-office to better protect their systems from being breached. This involves implementing a variety of access, audit, and integrity controls. Not sure where to start?
“One of the most common methods in which cyber criminals target medical facilities is through open RDP (Remote Desktop Protocol) ports on employee workstations and network systems,” says Congionti. RDP refers to the connection between computers that enables users access to their data via a remote host.
While having an open RDP can make sharing information from one computer to the next a simpler process, it also puts your sensitive data at risk. That’s why Congionti suggests that health care professionals “reduce this vulnerability by closing the RDP ports which can be accessed by malicious actors with little deterrence.”
Another way to better safeguard your practice’s data is to make it harder to access the information to begin with. “Set a policy in which employees must use two-factor authentication for their login attempts to these computer systems,” recommends Congionti. “This can help thwart malicious activity on health care data by increasing the security layer needed to view, access, and edit this information.”
Sharing health records securely
In addition to securing health records within your practice, health care providers must also be concerned with how information is protected by those who must also have access to it, such as those involved in the billing and collection processes.
“Sending medical records in a timely and secure manner is difficult as nearly every health care system and individual provider has their own system that is not unified,” explains Chris Goodnow, attorney and founding partner of the law firm Goodnow McKay.
“Many will refuse to distribute the records digitally for security purposes but will send them via mail or fax,” he says. “Unfortunately, these have security issues as well and the entity receiving the protected data must not only upload and safeguard the data once it is digitized, but take precautions (such as shredding both paper files and CDs with sensitive data) to be compliant.”
For this reason, it’s also important to know the security practices of the agencies and services with whom you share private and confidential data. By ensuring that they’re following proper protocol, it can help protect your practice as well.