Looking at the numbers, you could call 2015 the Year of the Protected Health Information Breach. By the end of the March 2015, almost 90 million medical records were breached in just two security incidents, surpassing the total number of breached records in all of 2014 in just the first three months.
Advances in cybersecurity in the financial sector have positioned the healthcare sector, specifically medical records, at the top of the target list for hackers. When a medical record is stolen, it potentially contains enough identifying information (such as name, address, birthdate, Social Security number, and employment) to replicate an identity even for non-medical purposes. And when identities are stolen for medical purposes, the risks include exhausting a patient’s lifetime medical benefits and the creation of false medical records that could hinder future care for that patient. Cybersecurity must be a top priority at urgent care centers to ensure compliance with federal laws, but also to protect the privacy of patients.
“Smaller clinics have it tough where there are fewer people wearing more and more hats,” said Brandon Ballard, CHEP, CHC, Security Compliance Officer at Practice Velocity. “And who has time to become an expert in cybersecurity in between seeing patients?”
Here are five steps to improve cybersecurity at your clinic.
Appoint a Privacy Officer: Clinics, like all covered entities, must appoint a privacy officer that oversees the privacy program, develops policies and procedures, and trains staff. This is a requirement for HIPAA, but also is best practice for ensuring responsibility stays with an individual and does not slip through the cracks. A privacy officer should ensure that employees are only granted access to data and systems that they need to do their job (Least Privilege Principle) and that access is removed upon changes to employment status (Access Controls).
Training and Education: Culture is the root of every cybersecurity program, with education setting the tone for a clinic’s culture. We’ve all sat through tedious compliance or HIPAA trainings, and for the most part it is difficult to get away from those trainings. “We focus on two key takeaways for our trainings,” Ballard explained, “the Minimum Necessary Standard and the Golden Rule of Privacy. Boiled down to the basics, Minimum Necessary Standard says an employee may only access and disclose the least amount of information necessary to do their job. The Privacy Golden Rule states we treat other people’s information like we would want ours treated. If we can apply these two templates to any situation or question we have about Privacy, we will be compliant with the laws and do right by our patients.”
Phishing Scams: When was the last time you checked your Spam Folder or Junk Folder in your personal email? “Phishing is quickly becoming the choice tool of hackers,” said Ballard, “Why pound on the back door or break in if a hacker can just knock and be let in the front door.” Ensure that all your employees know how to identify a Phishing email, to never to click on links or open attachments in phishing emails, and to never to give out their password or personal information. Employees need to know that installation of software can be a security risk, and should only be done when approved by appropriate personnel.
Technical Safeguards: Privacy and cybersecurity is a mix of culture and technology. Culture is key, but technology must be used. Encryption of mobile devices (including laptop computers) should be mandatory if the device contains any personal health information. Even if medical records aren’t stored on the mobile device, ensure that no Personal Health Information, PHI, is contained in any reports, bills or emails. If PHI is present, remove it and/or ensure the hard drive is encrypted. Keep documentation of proof of encryption to minimize any breach liability should the mobile device go missing. Make sure all computers are physically secured, and all employees use strong passwords that aren’t written down on a Post-it Note under the mouse pad.
Self-risk assessment. There are online tools, such as the one at HealthIT.gov, that allow clinics to see how effectively they are mitigating risk. A risk assessment helps reveal areas where your organization’s protected health information could be at risk. The risk assessment tool at HealthIT.gov is offered as a 98-question quiz that can be completed incrementally. Ballard said it’s best to complete the full assessment each year, but if you divide the quiz into four sections and do one each quarter you will fulfill that review in the desired time period.
Following these steps will help ensure patient privacy and record security at your clinic. The number of HIPAA claims filed continues to skyrocket—with well over 100,000 complaints received at the U.S. Office of Civil Rights since the rule went into effect in 2013. Nearly one quarter of those resulted in businesses making changes to their privacy practices or facing other corrective actions. The stakes are high, with whistleblower bounties rewarding those who turn sloppy healthcare providers in to cash-strapped government agencies. Don’t let your urgent care center become the site of the next breach.