“Did you hear about that Southern California hospital that paid $17,000 to hackers to unfreeze their systems?”1
“Did you hear about ——”
Data breaches and the security of protected health information are on everyone’s mind these days and for good reason. As attacks and breaches rise and intensify, healthcare executives are confronting the need for increased attention and expenditure on healthcare IT.
We wish we could tell our clients that there was an easy, simple, and affordable way to prepare for and counter data breaches. We know many of our clients are already stretched thin navigating issues like narrowing margins and a payer landscape turned upside down. Data security can, too, often feel like “just one more thing” — and a thing that no one really wants to think about, to boot.
But this cannot be ignored. All the time and effort you’re spending on optimizing all aspects of your revenue cycle management, billing, and record-keeping could be for naught if your organization is taken down by a data breach.
What the Healthcare Data Breaches Look Like in 2016
In 2015, the Office of Civil Rights recorded a staggering 253 breaches in the category “affected 500 or more people.” The combined total of records put at risk? 112 million.
Twenty-one percent of all the breaches were reported as “hacking/IT” incidents. Twenty-nine percent were reported as “theft.”2
All healthcare industry forecasters and leaders expect data attacks and data breaches to continue rising in 2016 and the foreseeable future. With so many providers and payers alike focused on efficiency, patient experience and, yes, revenue cycle optimization, security often gets short shrift from a strategy and spending standpoint. Or, just as bad, it is addressed in a vacuum and only after an incident occurs.
Healthcare providers averaged a spend of less than 6% of IT budget expenditure on security in 2015, according to data from the Healthcare Information and Management Systems Society Analytics group. Compare that to a spend of between 12 and 15% of the IT budget on security in the financial and banking sectors, and it’s immediately clear that healthcare lags.3
Beware of Ransomware Attacks
For smaller providers, such as clinics and physicians practices, the top attack to be aware of is something called ransomware.
Similar to an actual kidnapping and ransom situation, in a ransomware attack, hackers send malicious code into your computer systems and freeze up all of your records and operations. This becomes a security and a business issue — not only is your patient private health data at risk, you also are unable to serve patients or function as a business until the systems are unlocked. The hackers demand you pay a “ransom,” usually in difficult-to-trace electronic currency Bitcoin, in exchange for providing you the decryption key.
Don’t fall into the trap of thinking that because you’re not a large health system or multi-hospital system that you’re too small to come to hackers’ notice. Ransomware attacks are usually predicated against small providers, schools, and other small businesses that usually lack sophisticated protection. Stories of ransomware attacks in the last few years include a three-physician surgical practice and an 18-bed critical access hospital.
These attacks cost almost nothing to launch. The hackers spam a massive list of organizational email accounts, hoping just one of your employees opens up a malicious attachment and releases the malignant code to wreak havoc in your computer systems. Like any scam, victims often don’t want to talk about these situations (whether they paid up or not), so other organizations might not be aware of how prevalent these attacks really are.
What You Should Do: Go Beyond the Regulations
Just being compliant with the security regulations won’t be enough to provide adequate security for your protected health information and electronic health records. Generally, the regulations lay out a list of things you need to do, but you’ll need to assess how much you require for your organization in terms of physical systems, software, IT consulting, and other considerations.
For instance, the HIPAA Security Rule requires the following administrative safeguards:
- Identifying relevant information systems
- Conducting a risk assessment
- Implementing a risk management program
- Acquiring IT systems and services
- Creating and deploying policies and procedures
- Developing and implementing a sanctions policy4
But as far as providing specifics, current regulations do not prescribe best practices. The omnibus bill passed at the end of 2015 does include a provision for the Department of Health and Human Services, the Department of Homeland Security and the National Institutes of Standards and Technology to meet and come up with a list of best practices and guidelines for providers to follow.5
Data breaches of protected health information will continue to be one of the foremost issues in healthcare in 2016, and there’s a lot of fear going around. As a proactive healthcare leader, you can help prepare your organization the best that you can, and stay on top of emerging trends in security and data breaches.
When it comes to insidious data breaches, you’re only as good as your weakest line of defense, which means you’ll need a comprehensive plan to uncover all your potential weaknesses. Of course, no one will be able to completely safeguard every potential point-of-entry or build an impervious organization, but start with your people and your systems.
Rather than simply preparing a static data security policy and thinking you’ve got it covered, being proactive and bolstering your defenses against a data breach (read more about how to do that in our next post) can help you be as prepared as you possibly can be with smart systems and processes at every level of your organization.
Physician Revenue Navigators is a leading healthcare revenue cycle management partner, supporting healthcare organizations of all different practice types with their revenue lifecycles. We help practices with coding, billing, contractual adjustments, collections, HIPAA compliance, and more. Contact us to learn more about how we can assist your organization.
- Joseph Conn, “Hospital pays hackers $17,000 to unlock EHRs frozen in ‘ransomware’ attack,” Feb. 17, 2016, http://www.modernhealthcare.com/article/20160217/NEWS/160219920/hospital-pays-hackers-17000-to-unlock-ehrs-frozen-in-ransomware ↩
- Dan Munro, “Data Breaches In Healthcare Totaled Over 112 Million Records In 2015,” Dec. 31, 2015, http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#7c85d49a7fd5 ↩
- Beth Kutscher, “Healthcare underspends on cybersecurity as attacks accelerate,” March 3, 2016, http://www.modernhealthcare.com/article/20160303/NEWS/160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate ↩
- “How Do I Ensure Security in our System?” http://www.hrsa.gov/healthit/toolbox/HIVAIDSCaretoolbox/SecurityAndPrivacyIssues/howdoiensuresec.html ↩
- Beth Kutscher, “Healthcare industry gets cybersecurity support in omnibus bill,” Dec. 18, 2015, http://www.modernhealthcare.com/article/20151218/NEWS/151219853 ↩