By Rachna Chaudhari, April 01, 2015
As electronic security breaches become common headlines in today’s news, dermatologists should be especially aware if they have electronic health records (EHRs) in their practice. North Korean hackers may not be as interested in your practice’s medical records as they are in Sony’s internal emails, but other nefarious hacking entities have already struck dermatology offices. A dermatology practice in North Carolina was hit with a malware attack by a hacker in 2012, but it did not become aware of the infraction until September 2014. In that amount of time, the hackers gained access to patient information including names, Social Security numbers, and billing information, among other identifiers. A small surgery practice (non-dermatology) in Illinois was hacked in 2012; they were informed that they would not gain access to their servers until they paid a ransom to the hackers. They refused and lost access to all of their medical records.
Hacking patients’ medical records may not be the only way your practice faces a potential privacy breach. The Health Insurance Portability and Accountability Act (HIPAA) requires that practices institute internal security controls to effectively prevent breaches from occurring and that they implement notification policies in case of a breach. The Department of Health and Human Services (HHS) publishes information about breaches that occur on its website, and reports have found that 23 percent of these breaches were due to hacking while 68 percent were due to devices or files being lost or stolen. In fact, a dermatology practice in Massachusetts faced one such scenario and had to pay a $150,000 fine to HHS for losing an unencrypted thumb drive which contained patient medical records (for more information, see the Jan. 31, 2014 issue of Member to Member).
What can a small private dermatology practice do to prevent a breach from occurring and mitigate the damage if one does? First, determine if your EHR is cloud-based or server-based. Having a cloud-based EHR has many advantages; however, you could be more susceptible to online hackers through this system. You should confirm with your vendor how they prevent malware attacks and what you can do to lessen any breaches to your system. If you have a server-based EHR, ensure you have the proper physical safeguards in place, such as encrypting back-up files and locking rooms that have access to the server. Additionally, regardless of the type of system you have, make sure your wireless Internet is protected through a strong password that cannot be easily breached. Your system should be encrypted to the latest standards.[pagebreak]
Another important step you should take in preventing the loss of PHI is administering a security risk analysis on your system. Both HIPAA and the meaningful use program require that you perform this on an annual basis, and it would serve your practice well to perform this on a more consistent basis. The Office of the National Coordinator for Health IT has a helpful toolkit explaining this analysis. Once you complete your analysis, fix any underlying problems and implement policies to address them. For example, ensure employees are not using their personal email accounts to send protected health information (PHI); instead, they should be sending this information through the EHR’s secure HIPAA-compliant electronic exchange.
Other simple steps you can take to ensure data security in your office include installing antivirus software, applying security patches and security updates to any programs connected to the Internet, and installing proper firewalls to your system. Your EHR vendor can help you determine which firewalls need to be in place. Also, look into installing software that can disable access to PHI on any devices that are taken out of the office by staff. This would guarantee that your patients’ PHI would not be accessible if the devices were lost or stolen.
If you have taken these steps to secure your PHI, but you find yourself in a situation where your data has been hacked, what should you do? At a minimum, you must report the breach to your patients and to HHS. If the breach affected more than 500 patients, you must also post a notice in major print or broadcast media within 60 days. You can also expect a response from HHS in the form of a HIPAA audit. It will be extremely important that you maintain documentation of all your safeguards and security risk analyses if you face such an audit.