KPMG conducted a survey a couple years back with 223 health care executives. In this survey, 80 percent of these executives stated that cyber-attacks had compromised their I.T. In spring of 2017, WannaCry disabled 37 health enterprises’ systems that spread out to 150 countries at the end of it all. This trend will only get worse as time goes on. Not only do health care providers need to be aware and ready for the security breaches from the outside world, they need to be ready for information breaches within their organizations.
It’s not if, it’s when
According to J. David Sims, author of Healthcare is in Dire Need of HIPAA Compliant MSPs,
The health care community has been dragged, nearly kicking and screaming into the digital age…. Many providers are using outdated or insufficient EMR (electronic medical records) software…. In most cases, security is either very basic or non-existent. … In the digital world, you can pack an entire office of medical records on nearly any modern USB drive, laptop, smartphone, tablet, etc…. The Internet of Things is quickly becoming an even greater problem…. Copiers, medical devices, watches and more are all connected, and many times within the same environment with no access limitations between devices. This means that someone could hack a respirator pump, and then gain access to a server.
After learning more about this incredible risk for not just health care executives, but also the public (as we all get sick sometime), I decided to sit down with David C. Blake, PhD, JD, to learn more. Dr. Blake is a former vice president at Cedars-Sinai Medical Center in Los Angeles, where he served as chief compliance officer and chief privacy officer. I asked Dr. Blake two questions:
- What are today’s major challenges in protecting medical records and health information?
- What are the consequences for health care providers when confidential information is seen by the wrong person or disclosed to those who have no right of access?
The ease of (wrongly) accessing medical records
“There is always the possibility of someone inside a health care organization inappropriately accessing and/or disclosing a patient’s medical information for nefarious reasons,” Blake told me, “but the greater dangers are simple mistakes and idle curiosity.”
The doctor described how easily medical information might be misdirected in the course of everyday business operations like faxing information to a wrong health care provider or emailing information to other staff who have no permission to receive the information. Then there are the cases of staff accessing records they have no business accessing (simply out of a curiosity about the condition of a patient who might be well-known, a family member, or a fellow employee).
There’s also great security flaws with electronic health records (EHRs). For example, nurses could access the nursing records of any patient in the system, even if that patient is not their own.
That’s, unfortunately, just how EHRs work.
So, what does this mean for health care executives?
Health care providers face a legal standard of strict liability when it comes to protecting a patient’s medical records. Penalties and fines are imposed on providers when intentional wrongdoing occurs, but there are also penalties and fines—often quite substantial—even if no one intentionally meant to do anything wrong.
“Preventing intentional wrongdoing is one thing, but trying to minimize mistakes and curiosity is a wholly different challenge for executives in health care.”
—David C. Blake, PhD, JD
Luckily, health care executives have a number of ways to address and reduce these risks:
- Training: “Training is one way, but the training needs to be repetitive, required of every staff member, and clear regarding the consequences for not following the rules,” Blake advised. He emphasized, “Employees need to know that there are no second chances when it comes to violating the rules regarding protecting a patient’s medical records.”
- Add More Security & Monitoring to EHR: Electronic warnings, duplicate password requirements, and other similar measures add layers of security to individual records. Provider organizations might also institute monitoring toolsthat track who is accessing what records within an EHR. “Catching an inappropriate access shortly after it occurs can greatly reduce the consequences of the violation,” Blake noted.
- Consult I.T. Professionals: “Federal and state statutory and regulatory requirements for protecting the privacy of medical information and the security of EHRs are incredibly complicated and challenging,” Blake noted. He warned that “the stakes are too high for relying on someone who is not professionally trained and experienced in HIPAA and state privacy rules.” He concluded by noting that the price of such expertise is well worth the cost, given the reduction in risks it can secure.
Some health care organizations may be well taken care of through their internal I.T. departments—and that’s GREAT—but many health care executives are facing overload, budget constraints, and confusion. That’s where managed I.T. services providers (MSPs) can bring value. It is important for health care providers to look for a MSP with two areas of expertise: HIPAA compliance knowledge and SOC 2 Type II certification. When doing due diligence, also ask to see their BAA (business associate agreement). This document ensures the MSP shares some of the I.T. liability as part of contracted services. The I.T. support you have could be the difference of avoiding or causing fines, gaining or losing patients, and taking your organization to the next level or miring yourself in the status quo.
Interested to see where your I.T. stands or in need of outside I.T. support? Visit NetGain Technologies’ website for more information on our services, including our new virtual chief security officer (vCIO) offering.