Preventing Data Breaches: What Physicians Need to Do

September 24, 2015

Two recent articles underscore the importance of cybersecurity across all facets of a physician’s practice and what questions should be asked.

Recently, I came across two articles, both highlighting some essential items that anyone engaged in creating, receiving, maintaining, or transmitting either protected health information (PHI) or personally identifiable information (PII) needs to know. The Security Breach You Never Imagined and Ten Years Later: Data Governance in the Decade of the Data Breach pose thoughtful questions, as well as regulatory and industry considerations. What follows is a list of questions and explanations for healthcare providers and their business associates to consider.

Who hacks and what are the primary tools used to accomplish the task? The answer is “it depends.” Multiple recent reports have indicated an increased incidence of external attacks versus internal sources of breaches. This means that increasing numbers of organized crime groups are getting involved in the black market sale of both PHI and PII. As the FBI previously stated in a release in the spring of 2014, the street value of PHI is 50 times higher than that of PII. This is because not only is all of a person’s sensitive information present, but it provides a mechanism for Medicare and Medicaid fraud.

The tools that are used are increasingly less expensive, while cyber thieves “[are] find[ing] other creative ways to break into systems and steal data.” The most common form is social engineering, which can occur at the site or externally through nefarious means such as phishing. Hence, it is important for physicians, hospitals, and their business associates and subcontractors to maintain software patches, train employees to look for suspicious emails, and do not become dependent on anti-virus software.

What type of data does a physician’s practice have and how should it be classified and mapped? The article in The Federal Lawyer provides a comprehensive list:

  • “What sensitive information do I have (i.e., data classification)
  • Who uses the information
  • Where is it stored
  • How is it transmitted (collectively, data mapping)?”

Of course, these questions are part of any basic risk assessment. An area that most practices overlook is the Payment Card Industry Data Security Standard (PCI DDS). This is the standard that all entities accepting credit and debit cards are required to meet. A crucial item to note in relation to HIPAA, the HITECH Act, and credit/debit card processing standards is encryption. First, encryption is considered a “safe harbor” under the Omnibus Rule (Jan. 25, 2013), in that if entities meet the requisite levels of encryption then they may be able to avoid the significant penalties associated with a breach. The one item that I cannot stress enough is that the type of encryption matters. An entity professing that their encryption standard is 128 does not meet the requisite standards under either the standards referenced in the HIPAA and HITECH Act Rules or the PCI DDS standards. In order to be compliant, the encryption standard - whether it is consider encryption at rest or encryption in transit, need to be at a 256 level. Making sure that this standard is met is also crucial for meaningful use compliance.

In sum, cyber security attacks are only going to become more prevalent. It is incumbent upon all players in the healthcare landscape to stay prepared.