The Data Breach Prevention and Incident Reporting Protocol

prevent data breach4Data breaches in a healthcare organization can occur at any time despite the best laid plans, sophisticated software, and precautions against human error.

Medical data is twice as likely to be hacked as financial data and children as young as eight months old have had their data compromised. The fact is that medical data is much more precious than credit card data, because it reveals a lot more information about the person. A medical record is worth more money to the bad guy, compared to the data on a stolen credit card.

For the past 5-10 years, practices have been consumed with the need to implement electronic medical records and conform to CMS regulations for using the software and security has been placed on the back burner.

That’s changing now. The number of CMS audits has increased, as has the number of prosecutions for violating the Health Information Technology for Economic and Clinical Health Act (HITECH). The same technology employed as mandated under the Affordable Healthcare Act has made it easier for the unscrupulous to gain access to medical records.

Hackers are actually trying to obtain names, birth dates, addresses, Social Security and drivers’ license numbers to open fraudulent credit cards and loans, obtain medical treatment, get prescription medications, and collect income tax returns. In some instances, hackers have used the information from a breach to obtain access to bank accounts over the phone with information given to them by patients.

An additional concern for practitioners and medical facilities is spyware, malware and ransomware. An increasing number of cyber-attacks are targeting smaller clinics that often don’t have the funding needed to hire full-time IT specialists. A set of Medicare ID numbers can fetch $4,500 or more.

There’s a range of HITECH mandated precautions and responses mandated and a proactive approach provides increased safety for clinics. It’s too late once a breach has occurred and it requires considerable time, effort and resources to track down the source. Patients often see multiple clinicians, making the process even more difficult.

The HITECH Act

HITECH is part of the American Recovery and Reinvestment Act (ARRA) of 2009, dictating that medical facilities stay current on forms and take all reasonable precautions to avoid access to medical records. Those who don’t employ reasonable safeguards can be fined $250,000 for HITECH violation. Repeat or uncorrected violations have resulted in fines as much as $1.5 million.

Risk Assessment

Part of the CMS meaningful use incentive program requires all providers to conduct a risk assessment of their IT systems to review security policies, identify threats, and locate vulnerabilities as part of HIPAA compliance. Practitioners can hire an outside contractor or rely on their software vendor.

Clinic Compliance Manuals

Every practice should have a manual that outlines very specific rules of the clinic and all applicable state and federal rules governing HIPAA compliance. The manual should be updated regularly and amended to reflect changes in Medicare and HIPAA rules, as well as clinic policy.

CONFIDENTIAL

Includes medical records in all forms, billing, spreadsheets and databases, video and audio recordings, credit card information, and student records, along with employee pay, benefits, evaluations and Social Security information.

INTERNAL USE ONLY

These refers to the private practice’s operations, finances, audits, passwords, and all data in connection to any audits or legal activities.

b

UNRESTRICTED

This information can be disclosed to anyone and may or may not be controlled, including data about or on the clinic website, press releases and social media sites.

Confidential systems must adhere to security rules of HIPAA, Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), Federal Policy for the Protection of Human Subjects, and include an amendment/termination clause.

Employee Education

Educating employees on current HIPAA rules and regulations is critical. In clinics where staff works with Medicare patients, yearly training is required through an office meeting or they can visit the Medicare website. New employees should have at least two hours of training before being allowed to deal with patients and records. Document who receives the training and how it was obtained.

Compliance training is also required to meet regulations in practices that work with Medicare Advantage plans. Educate staff about leaving electronic devices unattended. Breaches typically occur due to theft of items from the home, office or vehicles. Make it clear that personal electronic devices are never to be used in connection with work.

Encryption is Key

HIPAA doesn’t require that data be encrypted nor does it consider loss of encrypted data a breach, but encryption is a key component for minimizing breaches, particularly with mobile devices. Tablets and laptops are commonplace in practices and staff routinely text therapists about a number of issues. When possible, it’s best to furnish these devices for staff to be used at work only. Keep them under lock and key when not in use and assign someone to monitor them.

When practices offer in-office Internet usage, create sub-networks that are dedicated to guest activity and separate from the clinic’s secure networks for medical devices and all applications used to transmit patient information. That includes separation from tablet sign-ins, patient portals and online payments.

Identity Management

Staff should only be granted access privileges to information that’s pertinent to their position and responsibilities. Institute procedures for logging on and off shared machines, use strong passwords, signature or other high-tech methods when accessing the EMR, and employ automated software to monitor and create a digital trail.

It’s especially important when multiple facilities are involved. EMR time stamps provide an accurate record of who signed what forms and when. It’s a compliance issue if someone tries to retroactively sign forms and RAC auditors have begun asking for computer logs when problems arise.

In the Cloud

For clinicians who are considering placing their practice data in the cloud, it’s important to understand the service level agreement (SLA) with the potential cloud service provider (CSP). It’s essential to ensure that the clinic retains all ownership to any data and records placed in the cloud. Access must be reliable, secure and available if the practice’s system crashes. Always ensure that the SLA is compliant with HIPAA and all applicable state privacy laws.

Data Loss Prevention

Employees must all be responsible for protecting every aspect of the clinic’s data. Software that helps monitor and detect a breach is essential and should have the ability to block the transmission, storage and reception of suspect data. It also helps to identify, analyze and monitor information on servers, laptops, desktop and flash drives.

If a Breach Occurs

Every clinician should have a good attorney that’s well versed in HIPAA law and don’t ever attempt to withhold known information about a breach. If a breach occurs, the practice will likely be fined by the Office of Civil Rights and litigation may also be initiated by patients.

A security incident response must be initiated and the proper authorities informed, along with patients if the breach encompasses 500 patients or more. Sometimes a false positive will occur and it’s considered a breach until otherwise determined. It becomes an incident if one of the following is true:

  1. Unauthorized activity on the network or device is suspected of profiling, targeting, disabling or thwarting the clinic’s security mechanisms, including intrusion detection and firewalls
  2. Hardware containing confidential information is lost, stolen, missing or compromised
  3. Unauthorized use of networks or a device occurs
  4. Unauthorized user gains access to data or the network
  5. A significant violation of IT security policy occurs

Only specific individuals are allowed to declare an incident. That individual is responsible for setting in motion a multi-step response process that includes assigning an incident coordinator and investigator, defining the scope and the personnel involved, and what data was affected.

Conclusion

Practitioners must use every resource at their disposal to track and monitor access to sensitive data and have HIPAA and compliance manuals in place. Employees must be vetted and appropriate security measures in place to protect accidental disclosure of data from people who regularly enter the practice that includes cleaning staff, vendors, and even people who maintain aquariums, plants and water dispensers.

Update policies yearly or more often as needed and maintain staff employee training as per government regulations. Personal information, tests results and billing issues should never be discussed at the front desk.

One of the most valuable assets a clinic can have against a breach is a comprehensive software solution. In Touch EMR provides sophisticated monitoring of passwords, personnel and access and provides military level encryption. The company is one of the only EMR vendors to pass all of the ONC HIT requirements and its software is Medicare and HIPAA compliant.

In Touch EMR provides clinicians with cloud servers, affordable subscriptions and IT support, along with automatic updates and back-ups. The company provides the sophisticated tools and resources to aid practitioners in maintaining security and compliance throughout their clinic on multiple devices.

A free demonstration of In Touch EMR™ can be scheduled by calling (800)-421-8442.