What would you do if a hacker gained access to your server and demanded payment in exchange for not exposing your data to the world?
That's what happened to Surgeons of Lake County, LLC, a small practice in Northern Illinois, last July when an unauthorized user gained access to — and encrypted — its server in an attempt to force payment in exchange for the password needed to regain access to the server. While this sort of incident isn't as common as a stolen laptop or lost device, it is indicative of a broader trend: data breaches at medical practices.
As more physicians are migrating to EHRs and relying on mobile devices and laptops to interact with protected health information (PHI), data breaches are becoming more common.
According to a recent report from audit firm Redspin, the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. And according to the third annual "Benchmark Study on Patient Privacy & Data Security" put out by Ponemon Institute and ID Experts in December, data breaches are estimated to cost the U.S. healthcare industry an average of $7 billion annually.
Simultaneously, the federal government is cracking down even harder on healthcare organizations. In January, the Office for Civil Rights (OCR) for HHS released the final HIPAA omnibus rule, which modified the HIPAA Privacy and Security Rules, as well as the breach notification rule, to comply with the HITECH Act.
The modification to the breach notification rule requires healthcare entities to essentially prove, through a four-part risk assessment, that there is a low probability that PHI has been compromised. If they can prove that, then they do not need to disclose the breach. Healthcare entities found guilty of data breaches face fines of up to $1.5 million by the government plus notification costs and reputational damage, as they need to notify not only their patients, but also the media if the breach affects more than 500 individuals.
"[HHS is] looking to get people to the point where information is safely used," says attorney Andrew Blustein, with Garfunkel Wild, P.C., a law firm with offices in New York, New Jersey, and Connecticut. "Aggressive action in the beginning when you initially discover a problem can only help how the government views you and how your patients view you and help [ensure] that the situation does not spin out of control."
Fortunately, if your patient's PHI has been exposed, taking specific steps in the next 24 hours can minimize the damage — financial and otherwise.
Step one: Contain the situation
Regardless of how a breach occurs, a practice's first job is to try to stop the breach from getting worse.
"The first thing is stop the bleeding," says Blustein, who has worked with healthcare organizations that have had instances of data breach. "So, for example, if I find out a practice has an employee who is giving information inappropriately to someone, I may need to suspend that person or bar their access until I can find out what's going on."
If the breach involves a theft, for example, a practice should call the police before assessing the extent of the damage, says Elizabeth Litten, an attorney with Fox Rothschild LLP in Princeton, N.J., who has represented hospitals, physicians, and other providers and payers on a variety of healthcare issues.