It has become a bad routine. A new week, another data breach report in the news. The recent breach reported by Community Health Systems Inc., affected 4.5 million patients! This data breach parade isn’t likely to stop soon. Healthcare organizations big and small continue to lose confidential patient data at an alarming rate, resulting in serious consequences for them and their patients. It is therefore vital that skilled nursing homes (SNFs) take adequate steps to protect confidential patient information as they transition their business from the paper to the digital world.
The HIPAA Security Rule requires healthcare organizations and their business associates to protect the confidentiality, integrity and availability of their electronic protected health information (ePHI) at rest (stored) and in motion (transmitted). It is a common misconception among healthcare organizations to assume that they are HIPAA compliant and/or their ePHI is secured if:
- They use HIPAA compliant technology and/or;
- They do not have an EMR (electronic medical record)
Nothing can be further than the truth. First of all, technology is not HIPAA compliant, organizations are! This means that SNFs need to use the technology in a secure HIPAA complaint manner. Second, ePHI does not reside only in the EMR. It is also in emails, in documents and images on computers, servers and mobile devices like laptops, cell phones, tablets and USB memory sticks. Healthcare professionals are also using texting and online file sharing services to conveniently share confidential information. Any of these avenues can potentially be the cause of a major data breach.
Here are ten common scenarios that lead to data breaches:
1. Loss / theft of laptops or mobile devices containing ePHI.
Attending physicians, nursing staff or administrators may have ePHI on their laptops, smart phones, tablets or USB thumb drives. Mobile devices though convenient are easy targets for thieves and the most common way to lose data. Protecting data on these devices is key to preventing a data breach at your facility.
2. Lack of appropriate authentication/audit software and controls to secure access to ePHI.
Do you monitor and audit personnel access to patient data? What technology, policies and procedures does your facility have in place to limit ePHI access to authorized staff only?
3. Unsecure medical devices connected to the network.
All devices connected to facility network including medical devices and printers can be remotely accessed by hackers. Patient data can potentially be at risk if these devices are not secured appropriately.
4. Hard drives on photocopiers.
Many organizations lease photocopiers. Remember that these machines have hard drives that may contain patient data. This data needs to be destroyed before the machine is returned to the leasing company.
5. Software updates or system maintenance.
Software upgrades and system maintenance can potentially leave ePHI unsecured. Make sure that the IT service company understands data security and HIPAA compliance and ensures that the data is secured after an upgrade or routine system maintenance.
6. Stolen passwords or weak passwords which are easy to hack.
Train employees to use strong passwords for their access credentials and not to share this information with anyone.
7. Use of unsecure file sharing software/services.
Prohibit use of file sharing services without prior authorization from the information security officer. Free cloud based file sharing services are meant for consumer use. They are not safe for storing or sharing ePHI.
8. Use of unsecure email or text messaging services.
The argument in #7 applies to the use of free email and text messaging services. Do not allow employees to email ePHI using these free consumer solutions. There are a number of secure-HIPAA compliant email/messaging services available on the market that your organization can use.
9. Viruses or malware in the computer system.
Ensure that your computers are patched with anti-virus and security patches on a regular basis. Implement a strict computer usage policy that clearly states appropriate and unacceptable computer usage.
10. Unintentional employee action or error.
Unfortunately despite all precautions, employees do make mistakes. The only way you can minimize this risk is through regular data security training for all personnel.
SNFs need to be aware of the potential risks to their patient data in different scenarios. Knowing where data is stored and how it flows through the organization helps identify threats to the data, which in turn helps to implement appropriate security controls to protect it. Investing in secure technology, implementing appropriate security policies-procedures and regular employee training goes a long way in preventing data breaches and maintaining HIPAA compliance.
Sameer Sule is the founder and President of Kinara Insights, a healthcare technology consulting company specializing in patient data security and HIPAA compliance. From planning to implementation, Sameer helps his clients leverage technology in a secure manner to deliver better patient care and be profitable. Subscribe to the Kinara blog at www.kinarainsights.com/blog to receive regular tips, advice and insights on secure technology usage in healthcare. You can also meet Sameer and hear him speak at the upcoming HARMONY 2014 symposium.