No healthcare organization is safe from data breaches, and as cyberattacks become more sophisticated, it becomes increasingly important for consumers to stay one step ahead of the perpetrators. Michelle Foster Earle, president of OmniSure Consulting Group, offers her advice.
Although no patient data were breached, Healthcare.gov was hacked on September 5, leaving many healthcare organizations wondering if hackers might get into their system too. On August 18, it was reported that Chinese hackers had harvested the personal data of 4.5 million patients served by Community Health Systems (CHS), which is the largest reported cyberattack to date.
Robert Wah, MD, new president of the American Medical Association, warned healthcare providers and other organizations to prepare for a breach on a similar scale to the one that affected millions of Target's customers in December 2013. Health data stewards are in a race against incredibly sophisticated cybercriminals who are motivated by easy money. A health record could bring anywhere from $20 by itself to $1,000 when bundled with other documents that can be used for credit theft, identity theft, financial or medical fraud, and even obtaining prescriptions for controlled substances.
Cyberattacks are only one of the ways breaches happen in healthcare. Theft of laptops, improper disposal of paper records, unauthorized access to e-mail or network servers, improper disposal of laptops, mobile devices, and other portable electronics are all reported regularly. Firewalls, routers, and network security for providers present special risks as well.
Just as medical facilities prepare for potential medical errors with patient safety initiatives and medical professional liability insurance, it's important to prepare for the potentially devastating impact of a data breach. If you've not hired an expert to test your cybersecurity, it is highly recommended that you do so. Many cyber liability insurance policies come with cyber risk consulting. Get an expert opinion.
In the meantime, you can use the table as a preliminary checklist* for auditing your data security.
*The checklist has been formed from information provided by the Commonwealth of Massachusetts for the following article: 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
Other helpful resources
Health Breach Notification Rule: http://business.ftc.gov/privacy-and-security/health-privacy/health-breach-notification-rule
Health Information Privacy Training and Tools: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/
Mobile Devices: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
Michelle Foster Earle is the president of OmniSure Consulting Group, a risk management firm contracted by some of the nation’s leading medical professional liability insurance companies to help medical practices, hospitals, healthcare facilities, and providers of healthcare and social services nationwide reduce risk, improve performance, and avoid lawsuits. She has earned designations in healthcare management, is a licensed General Lines Property and Casualty agent in Texas, and is an Associate in Risk Management.
