A Cybersecurity Primer for Healthcare Practices

healthcare cybersecurity.png


By Kimberly Chambers, M.S., JD

Hard to imagine but until very recently, health care professionals coordinated patient care, managed schedules, ordered diagnostic procedures and documented treatment with either handwritten or dictated notes, all with a paper system. Somehow, though it seems unfathomable, it worked.

Welcome to the new reality…

However, the introduction of cloud technology, smartphones, tablets, or even devices networked through the Internet of Things (IoT) such as insulin pumps or heart monitors—all have dramatically changed the practice landscape. 

While communication among providers has arguably improved, the risk of compromising confidential patient records, financial information and propriety health care data has increased exponentially; every day we hear of massive data breaches, data corruption, hacking, data and system ransom… and often the source is penetration at the level of the small businessperson or contractor. In health care, that could be you: the individual practitioner, lab, imaging practice, rehab facility, etc.

 Inevitably, mobile technology has surpassed laws and regulations governing use, storage and transmission of protected health information (PHI). Nonetheless, these rules still apply, are vigorously enforced and non-compliance exposes health care providers to substantial liability and financial loss resulting from data breaches.

            The Healthcare Insurance Portability and Accountability Act, commonly known as ‘HIPAA’, was signed into law in 1996.

The familiar components of legislation that govern the safeguarding of PHI are Privacy Rule and Security Rule that went into effect in 2003.

Most professionals and patients possess varying degrees of knowledge about the Privacy Rule. We deal with it at every access point in health care: pharmacies, doctor’s offices, emergency rooms, urgent care, etc.  However, the lesser known, technologically driven, Security Rule that is wreaking havoc with independent providers, integrated health systems and health insurers (“Covered Entities”).

The Security Rule, simply stated, requires covered entities to maintain a minimum set of policies and procedures to safeguard PHI and confidential data. These safeguards must include physical, technical and administrative elements. The Rule generally states that providers must “implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network. Robust IT security systems incorporate standard cyber security measures specifying designed from health care data, including firewalls, authentication controls, anti-virus and malware protection, etc. Interpretation of the regulations naturally extend the same level of security to mobile data devices under the control of the covered entity’s employees and associates…and cloud services the covered entity incorporates.

However, the Security Rule does not much guidance on how to implement these technological standards, aside from mandating periodic risk assessments and analysis to test the effectiveness of security protocols and identify vulnerabilities. Most importantly, little direction is given on how to maintain safeguards while ensuring providers’ access to the PHI they require to make treatment decisions remotely. The Rule also does not address personal mobile devices belonging to employees, clinicians and administrators.

Predictably, despite the best efforts of compliance professionals, IT administrators and Risk Management, this is precisely where many health care providers are experiencing their greatest liability headaches…

…thus, policies and procedures should extend to all personal devices used by employees, both clinical and administrative, requiring period audits, routine device maintenance and security scanning.

The most important takeaway regarding HIPAA and technology is this: integrate the safety of your data, systems and devices with the experts configuring interpretation (and storage of your data), systems and devices.

Make it a priority. 

Why risk a  data breach, an OCR investigation, substantial financial penalties and costly corrective actions, the loss of contracts with larger health networks, and worse…and the loss of patients’ goodwill, or lives?

Kimberly A. Chambers is a former Privacy Officer for Medstar Health and former Director of Risk Management & Regulatory Compliance, Bon Secour Health System, both in Maryland. Questions? Contact us at www.soteryx.com or @soteryx on Twitter.