If you’re an executive in the healthcare industry in 2016, you know one of your primary concerns is how to prevent a healthcare data breach. We discuss patient health information security, healthcare IT, new types of hacker attacks, and the latest breaches with our clients on a daily basis. It’s on all of our minds all the time.
Last year alone, the Office of Civil Rights recorded 253 data breaches that put 112 million private health records at risk.1 This is no longer “the IT person’s problem.” Bolstering an organization’s defenses against a data breach should be a cross-departmental initiative driven by leadership.
Unfortunately, as any IT professional can attest, building security walls to keep out specific threats only gets you into an unsustainable arms race — with every new threat, you need to add to your increasingly tenuous wall.
So if there’s no bulletproof fix, what can you do? We know many of our clients need to operate in a lean system, but unfortunately, security is one of those things where there’s simply a minimum expenditure to ensure any safety at all.
You can, however, focus on building your security systems and processes to augment your overall operations, rather than distracting from other important initiatives like revenue cycle optimization. If you’re spending on activities that improve security and improve your organization as a whole, they could feel less like large outlays of cash just for the potential of staving off an attack.
You are only as good as your staff. This is true in every initiative, and in protecting patient health information especially so. Here are a few things you can do to help your employees create an environment less conducive to attacks:
- Tie together security and revenue cycle education. Your systems are in place to create the best possible operations for your entire organization, after all. Help your staff understand that abiding by all security rules and staying vigilant yields all kinds of excellent results like better compliance, data security and higher levels of patient satisfaction. All of that, in turn, leads to higher revenue and a better organization for all.
- Keep your staff up to date. As much as 60% of healthcare boards and executives only get security updates as-needed. If you get quarterly (or more frequent) updates on finances and operations, why wouldn’t you also get frequent security reports? Your staff should be informed whenever a new type of attack is identified in the industry or if there’s a specific threat to you or one of your vendors.
Without this kind of communication, your staff might not understand the nature of common attacks and compromise you. For instance, providers have run tests where they sent emails very similar to the ones used by hackers (called “phishing” emails) to see if employees clicked on attachments. Without proper education, many employees did.2
- Explain your initiatives. This is generally a good idea across the board, but especially with security-related initiatives like new software or procedures. Don’t just explain what you’re doing, but also why. There have been cases in which the provider’s email client didn’t play well with a third-party malware program the provider had installed on all computers. Frustrated employees simply removed or bypassed the malware protection, not understanding its crucial role in the provider’s security plan.
Allocate Adequate Resources
We know that allocating more toward security can hit small providers hard, but we cannot stress this enough: Do not cut corners on your IT and security. Work with professionals, the same way you work with professionals for your billing activities, revenue cycle management and other crucial aspects of your operation. This is not the place to slash costs.
If it feels painful to allocate the resources, think instead of the physical costs — data forensics, attorney’s fees, reparations, OCR investigations and penalties, potential class-action lawsuits — not to mention the costs in negative publicity and the emotional toll a breach might take on your staff.
Cover Your Basics
There are a few procedural items you should already be doing, and if you’re not, they are relatively easy to implement, including:
- Installing malware-blocking on all your computers and keeping it up to date. While your staff members are your first line of defense against a ransomware attack, don’t leave your machines completely vulnerable. You might not be able to fight off the most sophisticated attacks with basic third-party malware, but it should keep random phishing scams at bay.
- Use relatively easy-to-employ technical safeguards. Things like single sign-on, lock screens, systems that time screens out after inactivity, and requiring passwords for every interaction can be simple security elements that might prevent less-sophisticated attacks.3
- Do not let employees use non-work machines to access work-related systems. Without your security systems on their personal devices, employees could unwittingly allow malignant code access to your systems. Ensure that your employees understand that this policy isn’t about inconveniencing them, but about protecting the entire organization.
- Do not rely solely on the security of your electronic health record or billing system vendor. In many cases, this is not adequate protection. In other cases, third-party and vendor software may not work well together, causing more security gaps than they’re solving. Again, working with professionals will help you evaluate this.
- Encrypt data on all devices. While this measure alone won’t save you from sophisticated hacking attacks, it can help you resist a breach by theft, which made up almost one-third of data breach incidents last year.
- Conduct vulnerability tests. Like the test phishing scam mentioned above, the leadership team responsible for IT and security should be conducting regular testing of the systems and the staff. Make sure you use these tests not as a way to punish anyone, but rather as a way to identify vulnerabilities and fixes.
- Get cyber liability coverage. This is an insurance policy that would help cover expenses in the event that your practice experiences a breach and your patient’s information is stolen or exposed by hackers or cyber criminal. These policies cover costs related to notifying patients, credit monitoring, defending claims, fines and penalties, and identity theft losses.4
- Ensure your associates are equally vigilant. Healthcare is a highly interconnected world now. The protected health information in your electronic health records regularly moves between systems that don’t all belong to you. A breach at another provider or a payer could compromise you. Communicate regularly with your partners to ensure that they are also aware of and actively assessing security threats.
There is no one-size-fits-all data security solution, but the worst thing to do is be paralyzed by fear and indecision. Having the right partners and vendors can help you build a figurative “wall” around your private health information, but you still need to be proactive about identifying weaknesses and plugging gaps in your “wall.” At PRN, we help make sure our clients are addressing these concerns, and we can recommend resources for assistance.
Just like an audit of your revenue cycle management processes can yield untold revenue
opportunities, an audit of your security systems and processes will yield gaps in your security. Maybe it’s low-hanging, like an expired malware program, or maybe you need to completely overhaul the way you store and manage your data. Either way, being proactive could save you a lot of grief in the event of a data breach and also make recovery much faster.
Physician Revenue Navigators is a leading healthcare revenue cycle management partner, supporting healthcare organizations of all different practice types to optimize their revenue lifecycles. We help practices with coding, billing, contractual adjustments, collections, HIPAA compliance, and more. Contact us to learn more about how we can assist your organization.
- Dan Munro, “Data Breaches in Healthcare Totaled Over 112 Million in 2015,” http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#3d6431ed7fd5 ↩
- Beth Kutscher, “Healthcare underspends on cybersecurity as attacks accelerate,” March 3, 2016, http://www.modernhealthcare.com/article/20160303/NEWS/160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate ↩
- “How Do I Ensure Security in Our System?” accessed March 25, 2016, http://www.hrsa.gov/healthit/toolbox/HIVAIDSCaretoolbox/SecurityAndPrivacyIssues/howdoiensuresec.html ↩
- Cyber and Privacy Insurance, IRMI, accessed April 14, 2016, https://www.irmi.com/online/insurance-glossary/terms/c/cyber-and-privacy-insurance.aspx ↩