Protecting Your Practice From Data Breaches: An Expert Interview
Passwords should not be visible to the public.
The privacy of patient data is protected by the Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health Act.1 However, the years between 2010 and 2013 saw data breaches involving at least 29.1 million patient records, and the continuing transition in healthcare to electronic health records (EHRs) is likely to increase these breaches.1
A recent study1 analyzed all breaches in health information reported to the US Health and Human Services Office for Human Rights from 2010 to 2017 and found that breaches increased almost every year during the study period. Analysis of 2149 breaches, comprising a total of 176.4 million records revealed that, although the largest number of breaches involved healthcare plans, the most commonly breached entities were healthcare providers.1
The year 2017 was the worst year ever for general cybersecurity incidents, which doubled since 2016 across all industries, according to a report of the Online Trust Alliance.2 And according to the Identity Theft Resource Center, of 1579 breaches in 2017, almost a quarter (23.7%) were in healthcare.3
To shed light on issues of cybersecurity in medical practices, MPR spoke to Michael J Sacopulos, JD, CEO of Medical Risk Institute (MRI), a firm that provides “proactive counsel” to the healthcare community to identify where liability risks originate and to reduce or remove those risks. He is also General Counsel to Medical Justice Services. Mr Sacopulos is the coauthor of Tweets, Likes, and Liabilities: Online and Electronic Risks to the Healthcare Professional (Phoenix, MD; Greenbranch Publishing: 2018).
What do you think the greatest threat is to cybersecurity in physicians' practices?
People often think that the greatest protection against a data breach is having a good, strong firewall or other technical security features or tools. While obviously those are very important, that type of security doesn't protect against the primary vulnerability of a practice to a data breach. The real threat lies at a human level, in how practice employees handle the technologies that contain sensitive patient information and EHRs. The majority of breaches aren't through software or configuration errors but through human error.
What types of “human errors” are you talking about?
Let's start with phishing scams. About half of data breaches in all industries are the result of a phishing scam. Phishing e-mails seem innocent enough, perhaps providing a coupon or offering a discount or even warning against an ostensible fraud. Some may even contain a legitimate-looking logo, such as that of a bank. But they are a type of e-mail or social engineering attack, in which the cyber criminal asks the reader to enter information into a website field or form, including user ID and password, and other personal information such as credit card number, address, and phone number. If one of your staff clicks onto this and fills in the form, the cyber criminal now has access to your user ID and password, and can then remotely log into your practice or hospital network, gaining access to your data and systems.
Closely related are e-mails that contain malicious software (“malware”) attached. These too can seem to come from legitimate companies, such as banks or Amazon, warning that a bill is overdue or an account is scheduled for suspension. Clicking into the link installs the software, which is very destructive to your system and your network.
Your staff needs to learn how to recognize phishing scams and malware e-mails. Some clues are subject lines that include terms like “Final Notice,” have poor grammar or misspellings or peculiar or excessively formal sentence structure, ask you to update your information, or threaten you with dire consequences if you do not comply.
The staff needs to be instructed not to open the e-mail or attachments, call any phone numbers in the e-mail, share any of your practice's (or personal) information. The e-mail should not be forwarded to other employees either.
Every medical practice should have an IT consultant who should be notified of these e-mails and decide how to handle them.
What other types of human errors are there?
Most devices used by healthcare professionals lack any type of security protection, but devices with patient information — desktops, laptops, mobile devices, and tablets — should be password protected.
Passwords shouldn't be visible to the public. I do security and privacy audits on medical practices and it's almost a coin toss whether I'll find the password to the computer on a little yellow Post-it note on the monitor, keyboard or some other vicinity near the computer. I call it “3M security,” since that's the name of the company that manufactures Post-its.
Passwords should also not be obvious. I visited one practice where there were two passwords for the whole practice: “Doctor” and “Nurse.” Also, passwords should be changed regularly.
If you have encryption, security, and remote data-wiping features on your practice's devices, if one of your devices is stolen, it will be harder for your data to be accessed.
Why would cyber criminals be interested in medical records?
Medical records are a gold mine of information — not only date of birth and social security number but also third-party payer information, where the person is employed, the person's spouse, and so forth. These can be used to file false claims or fake tax returns. Sometimes information is taken from the chart and used for extortion — “unless you pay us, we will release such-and-such information about your psychiatric diagnosis or sexual orientation.” On average, if sold on the black market, a list of social security numbers might sell for $2 per number. Medical charts sell for $85-$125. It's an entirely different order of magnitude and much more lucrative.
How can a practice increase its security?
There are several important steps to take. One is to engage a professional IT expert to conduct an annual risk analysis. You should also regularly review who in your practice has access to which type of information and remove those who do not need to access patients' EHRs. Have policies in place regarding your employees' use of social media, e-mails and access.
What practical barriers are there to implementing these suggestions?
I frequently hear doctors tell me that they don't have the time or they don't have the money to implement these suggestions. For example, you may think you're economizing by downloading a checklist rather than paying an IT professional to conduct assessments. But just as you wouldn't want your patients to diagnose themselves based on their Internet research, you shouldn't be dealing with these technical areas of cybersecurity yourself.
I understand that many doctors have very packed schedules and are overwhelmed, but that isn't a good enough reason to ignore this important area, not only for legal reasons — meaning a potential lawsuit in the event of a data breach — but because it concerns patient safety as well.
Unfortunately, in my experience, many doctors regard cybersecurity as merely a compliance issue, having to obey a law that's not important. But there are ethical and patient safety issues as well. A growing body of research has found that a significant number of patients withhold information from their physician and one reason is that they don't have confidence that the medical system will keep their information secure.
This is an extremely dangerous situation and the excuse of being busy cannot hold water. I once had a surgeon tell me with great irritation that if he needed to enter a password every time he used his computer, it would slow him down. I responded, “You wouldn't run in off the street, grab a scalpel, and perform surgery without scrubbing down beforehand — even though it slows you down. Not ensuring your patients' data is protected is just as harmful of a practice. This is a patient safety issue.”
- McCoy TH, Perlis RH. Temporal trends and characteristics of reportable health data breaches, 2010-2017. JAMA. 2018;320(12):1282-1283.
- Online Trust Alliance. Available at: https://otalliance.org/news-events/press-releases/online-trust-alliance-reports-doubling-cyber-incidents-2017-0. Accessed: December 13, 2018.
- Identity Theft Resource Center (ITRC). 2017 Annual Breach Year-End Review. Available at: https://www.idtheftcenter.org/2017-data-breaches/. Accessed: December 13, 2018.