Protect Your Practice From Data Breaches

May 27, 2011
Marisa Torrieri

The feds are cracking down on (even accidental) violations of data security rules. Here's how to avoid serious financial and administrative penalties.

A provider at your practice decides to bring his laptop home, or some patient charts. He leaves them in the car for a quick stop at the grocery store.

This isn't a big deal most of the time. But should the physician return to a car that's been broken into, his practice could end up shelling out hundreds of dollars to inform patients that their personal health data has been stolen. Not only could he potentially lose patients, but his practice will face extra scrutiny in the future by federal authorities.

"It sheds the light on a small or mid-size clinic," says Ed Goodman, an attorney who specializes in security and privacy issues and works with Identity Theft 911, a consultancy whose clients include a number of healthcare organizations. "How many patients are going to feel confident and trusted with you again?"

This scenario is one of the most common security experts say is happening with small practices that don't protect themselves. And in an age of e-mails, e-prescriptions, and EHRs, it's a scenario most practices want to avoid in order to stay in business.

Here's your guide to some of the most common data breaches at practices, and how to prevent them.

Why breaches are a big deal

Though HIPAA was first enacted in 1996, the guidelines about privacy "were more bark than bite," says Goodman. A few years later, HHS updated the HIPAA law with the addition of a security rule, which included required and recommended actions for health organizations to ensure the security of protected electronic patient health information.

But it was the HITECH Act, part of the American Recovery and Reinvestment Act of 2009, which gave flesh to those HIPAA additions by imposing stiffer penalties on health organizations found guilty of data breaches, according to legal experts.

These meaty penalties include an increase in maximum fines (up to $1.5 million) and, if the breach involves more than 500 records, the covered entity has to notify the local media in addition to notifying patients and HHS.

"My theory is that the HIPAA stuff entered into HITECH because there were and are many people who are suspicious of technology in general, of databases," says health IT consultant Marion Jenkins. "The government wanted to put more teeth into the idea of a breach of electronic data.

Today's most common breaches

In practices, three of the most common types of data breaches involve e-mail communications, portable device theft, and medical identity theft.

The first two have seen a huge surge in the past three years with the growing adoption of new mobile technology such as smart phones and media tablets, and the use of electronic communications.

"E-mail is like the wild, wild west because the patient side is generally unsecure," says Jenkins.

One of the most common ways data is breached is at its endpoints, rather than in transit, says Andy Podgurski, a computer science professor at Case Western Reserve University who co-authored the study "E-Health Hazards: Provider Liability and Electronic Health Record Systems."

"Breaking a good encryption is very difficult and challenging and requires a lot of expertise, and not a lot of people have that expertise," explains Podgurski. "But [if] a home user has an old version of an operating system, very often there is code circulating on the Web between hackers."

The riskiness of using e-mails to communicate information to patients who may not have the same level of security on their end has spurred the growth of Web portals - systems where a patient has to log in to a secure website to retrieve a message from her physician - at practices. But portals aren't necessarily foolproof.

"Patient portals are generally better than e-mail because there is generally more control, but patient portals can also be set up wrong or with poor security," says Jenkins.

Sending unsecured e-mails is just one cause of data breaches that happen inside the practice; another is when a staff member burns unencrypted data to a CD that is left unsecured.

Another way a practice could be find itself in trouble for a data breach is by exposing protected patient data to too many people. Examples of this would be a practice's receptionist who is instructed to screen patient e-mails, or sharing unsecured data with a hired third-party source.

"With the movement to EHRs, it's not going to be a small practice that's going to scan all patient records," says Goodman. "They're going to bring in a vendor."

Finally, a small but growing form of data breach, medical identity theft, is gaining traction in all healthcare organizations. "There's a lot of different reasons for it," says Goodman. "You do have a lot of people who are drug seekers, who are trying to get prescription drugs and don't have legitimate medical issues. It can be a lot easier to use someone else's identity."

A May 2010 report by the Health Information Trust Alliance, a consortium of healthcare, technology, business, and IT security providers, revealed that 65 percent of data breaches were related to thefts (including paper documents and laptops). By comparison, fewer than 2 percent of breaches were linked with hacking or misdirected e-mail.

"Maybe they're working on patient records, maybe they're getting ready for billing, or maybe they're doing some kind of clinical studies on allergies and medication and they lose their laptop," says Jenkins.

Breach-proof your practice

There are no guarantees that if you invest a specific amount of time and money, you can protect your practice 100 percent against data breaches.

Still, by taking certain actions, you can decrease your probability of data theft - and malpractice liabilities stemming from it.

The first line of defense in preventing data breaches is to make sure security is up to date with your operating system.

"Over time, operating system vendors discover security vulnerabilities in their software and publish patches which you can download and install," says Podgurski. "If you don't install them, you're operating a system that has a known vulnerability. There might already be 'exploit code' floating around. By keeping up to date on the security patches, you're plugging known holes in your software."

Another easy way to deter data thieves is to make sure e-mail and portable devices are password-protected. Even better, says Goodman, "don't leave laptops in your car for extended periods."
And perhaps the best way to protect data should you transmit it outside of your office is to make sure it is encrypted.

The HITECH law requires healthcare providers to "notify each individual whose unsecured protected health information has been accessed, acquired, or disclosed," notes Sharona Hoffman, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland.

Therefore, encrypting data covers you from having to notify patients of a data breach in the event of theft.

"If the information is not encrypted that is going to be a really large problem for a healthcare provider," says Hoffman. "If it's secured, if it's encrypted, you do not have to notify HHS."

While inside the practice, to keep data away from the wrong set of eyes, experts discourage the use of shared usernames and passwords for patient files.

"The only people who should have access to protected health information are people who have a need to know," says Goodman. "A receptionist really has the need to know, for instance, when people are coming in for what they are scheduled for. A receptionist might not need to know the patient is HIV positive. That doesn't have anything to do with a patient having a mole removed.

"If you're letting your patients communicate sensitive e-mail to you, maybe the physician and nurse practitioners should be the only ones who can access it."

Even if you're covered in terms of which staff may access patient files, your practice could still be vulnerable to a data breach when data is exposed to a hired third party.

To protect itself, a practice should exercise proper due diligence, says Goodman, making sure the vendor it's using has an awareness of HIPAA requirements, conducts background checks and drug tests on employees, and has proper insurance.

Marisa Torrieri is associate editor for Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the June 2011 issue of Physicians Practice.