Healthcare has been a big target for hackers.
Amid the lingering effects of a global pandemic and federal efforts to tie disparate healthcare IT systems together to fuel data interoperability, HIPAA violations may have slipped from the headlines.
But make no mistake — those who want to illegally access privileged health information (PHI) are still working hard to exploit technological shortfalls and human weaknesses to obtain data. The number of breach incidents and affected records both set records in 2021, with 45 million breached patient records in 679 total events, according to the Office of Civil Rights’ Breach Portal, the so-called “Wall of Shame.” The number of breaches increased just over 2%, but the number of breached records exploded by 32%. To put that in better perspective, the records of one in eight men, women and children in the U.S. were exposed last year.
A cursory review of 2021 breaches among cardiology providers (searching for “cardiology” or “heart” in the breach portal and scanning news headlines), revealed seven breaches of just over 100,000 records. Two of the breaches accounted for 83,000 records.
Safeguarding PHI is everyone’s responsibility in a cardiology practice.
Any entity privy to PHI is covered by HIPAA regulations, including cardiology practices and all the entities with which each practice exchanges data — insurers, clearinghouses, laboratories, and referral partners, among others.
Healthcare has incurred the highest costs for data breaches for nearly a dozen years. Between 2020 and 2021 alone, the average cost of identifying and remediating a healthcare data breach rose nearly 30% to $9.23 million. The impact of a breach includes much more than direct revenue losses and remediation costs, including indirect revenue losses through customer turnover and a dark stain on a practice’s reputation and standing in a community.
Healthcare data is prized on the black market because it often includes demographic information and Social Security numbers that can be used to create new identities and apply for credit. A healthcare data breach typically takes more than nine months to uncover, which leaves plenty of time to exploit security vulnerabilities. An analysis of 2021 healthcare data breaches shows that network server attacks account for 52% of incidents, compared with email attacks, which account for 29%.
Safeguarding protected health information is never a one-and-done proposition. It must remain top of mind among every person working in the practice. Follow these six steps to decrease the chances that your cardiology practice becomes the victim of a cyber incident.
Create a plan covering data privacy/security within your office and while data is in transit to other providers.
If you don’t know where to begin, check with other local practices or medical associations on how they have dealt with privacy/security planning. Larger cardiology practices or those within a health system are likely sufficiently covered, and smaller practices may be best served by outsourcing data security planning. But once a plan is in place, every staff member is responsible for understanding and following all security policies and procedures.
Enforce compliance efforts, and sanction if necessary.
Compliance requires constant monitoring to make following policies and procedures automatic. Use the buddy system to provide another set of eyes to ensure that computers are locked whenever left unattended (even for a minute). Empower anyone to log off an unattended terminal or computer and notify the privacy officer. Don’t allow passwords to be affixed to computer screens or visible workspaces. Use multifactor authentication to protect the password and critical IT systems further.
Follow through with sanctions for repeated or blatant violations. An egregious security lapse must be dealt with immediately and in the appropriate manner. Verbal warnings, written warnings, and terminations should all be on the table, not necessarily in that order.
Provide ongoing privacy/security training.
In addition to initial training, the importance of adhering to security guidelines should be reinforced at every opportunity. A weekly or bi-weekly email detailing security measures is an excellent start to that reinforcement.
Training should occur for new hires when significant changes occur, at least annually, to reinforce learning and individuals who consistently or blatantly do not follow privacy/security rules (sanction training). Everyone should receive follow-up training on at least an annual basis to reinforce the guidelines and provide updates on any changes, and employees should be queried on what they learned. Accurate records must also be kept of who has received training.
Collaborate and communicate with the entire staff on privacy/security issues.
Security does not fall on one person or department. Instead, it is a collaborative effort among everyone in practice. Every cardiology practice must have a security and privacy officer, and everyone must know who that person is.
Make it easy to contact the privacy/security officer, perhaps with an email address on an intranet site. And adopt a non-retaliation policy, so there are no repercussions for reporting lapses in security.
Review your privacy/security program.
Privacy and security measures should be monitored on at least an annual basis. You can outsource the entire audit or perform some of the tasks in-house.
At a minimum, review policies and procedures related to security and privacy, both the physical security of devices and the privacy of the data they contain. Low-tech devices such as fax machines and copy machines, which retain data, and any hardcopy patient records should also be addressed in the review. This review should also include implantable devices that require remote connectivity. If a vulnerability is found by a malicious party, the impact could be deadly to any patient that has these devices. This is why it is crucial that practices or their security vendor can track all patients with the device to ensure that the device can be properly patched to protect the patient from a deadly event.
If your practice has experienced compliance issues, discover the root cause of each to understand what could have been done differently to prevent it. Based on those findings, update your privacy/security plan accordingly.
Measure the effectiveness of privacy/security compliance.
Physicians and other stakeholders should understand the importance of maintaining data security to the future health of the practice. If your practice doesn’t yet have a mature privacy and security infrastructure, create an action plan with goals and timelines for compliance. Investigate unmet goals to determine why and how to improve in the future.
Safeguarding protected health information is everyone’s responsibility. Although hacking incidents and ransomware attacks attract headlines, nearly 30% of breaches are phishing attacks that use email to trick users into performing some action or clicking on a suspicious link.
Until healthcare providers, business associates and third-party entities take data security seriously and commit sufficient resources to combat breaches, data will continue to be inadvertently exposed or deliberately exploited. Establishing and following a compliance plan, training staff, and performing periodic audits will go a long way toward protecting cardiology practices from breaches.
Vinod Nair, MD, is an Interventional Cardiologist at Cardiovascular Institute of the South, he is also the President & Chief software architect at Objective Medical Systems. With more than twenty years’ experience in both interventional cardiology and computer science, he is board certified in cardiovascular disease and interventional cardiology. Dr. Nair is a fellow of the American College of Cardiology and Society for Cardiovascular Angiography and Interventions.