IT Security - a Growing Problem

If you follow any of the daily healthcare internet clipping services you know that it’s not uncommon to see at least one report every week regarding data breaches in a healthcare entity. The breakdown of the IT security procedures have occurred in physician offices, hospitals and insurance companies.

In a study published in 2012 by the Ponemon Institute and the Health Information Trust Alliance it was revealed that the healthcare industry continues to lag behind most other sectors of the economy in stopping data breaches.  (The Ponemon Institute is a private, Michigan based “research center dedicated to privacy, data protection and information security policy.”)   Of the 80 healthcare institutions participating in the study, 18% were standalone medical practices.  Among all of the participants, 94% admitted that they had experienced at least one data breach during the previous 24 months; 45% said they knew of at least five data breaches.

As is usually the case, human error and carelessness were the leading causes of the breaches cited by study participants.  In 46% of data breaches, the employee's computing device was either lost or stolen, which the authors attribute to carelessness.  In 42% of cases, the breach was caused by employee mistakes or unintentional actions.

Develop an Action Plan for Your Practice

To lessen the chance of your ob/gyn practice becoming the next victim of an IT security breach, develop and implement an action plan.  Following are the key elements:

Incident detection and response – Every practice and their Business Associates should be capable of reviewing system activity for the detection of impermissible and improper uses and disclosures of protected health information (PHI).

  • Staff training – It is inexcusable for any medical practice or Business Associate not to have the appropriate training for all personnel related to what is unauthorized in the use and disclosure of PHI. Training should be conducted on an annual basis to keep all staff and physicians up to date and to keep the concept of security in the forefront of practice activity.
     
  • Securing your wireless network – With the high level of implementation of electronic health records, many practices have implemented wireless networks within their facilities. You and your Business Associates should ensure that there is an authentication process that is required in order to access the wireless network. As well, there should be the ability to detect any devices that may be intruding on the network.
     
  • Access and passwords – Medical practices and Business Associates should ensure that their systems are configured to require strong passwords when accessing high risk information. The routine changing of passwords is highly recommended.  As well, don’t set up potential breaches to a good security plan by allowing passwords to be written down and “hidden” somewhere near the staff members’ workstation.
     
    As a rule of thumb, the longer the length of the password, and the greater mixture of characters, that is, including the full alphabet, both upper and lower case, ten digits, and common symbols (!, $, &, etc.) and utilizing an eight character password potentially creates 7.2 quadrillion combinations. At this rate, even a “class F” attack on your computer, which would have to be conducted by a super computer generating a trillion passwords a second, would take 83.5 days to break the password combination! (Source: Lockdown.co.uk.)
     
  • Loss or theft of mobile devices – No matter how many safeguards are put in place, as stated earlier, the most common type of breach occurring of late generally involves the theft or loss of a laptop. However, utilizing Blackberries, iPads and other mobile devices present the same breach opportunities. Accordingly, we highly recommend that all of these types of devices be encrypted and most certainly, password protected.
     
    NOTE: The HHS Office of the Inspector General announced on January 2, 2013 that Hospice of North Idaho will pay $50,000 to settle allegations of possible HIPAA violations after the loss of an unencrypted laptop containing the protected health information (PHI) of 441 patients. This is the first settlement involving a breach of less than 500 patients.
     
  • Basic up to date software maintenance – Making certain that your system is supporting the latest version from your software vendor and that all of the appropriate patches are pushed out to all workstations and mobile devices on a regular basis should be routine. Keeping anti-malware software up to date, including firewalls and other barriers, is critical.

Reviewing and implementing this list is a simple common sense exercise for most medical practices and their Business Associates.  The challenge is making certain that the elements of this exercise are all carried out routinely.

January 2013
L. Michael Fleischman
Stroudwater Associate
mfleischman@stroudwater.com

Contact:

Anne Diamond
Senior Director
adiamond@acog.org