Data breaches in the healthcare sector are steadily increasing and it’s becoming ever more crucial to keep Protected Health Information (PHI) secure. Losing patients’ PHI has a significant financial impact on providers with the approximate cost per loss of a stolen record estimated to be around $363.
Since the beginning of this year, there have been about 224 breaches of unsecured PHI affecting more than 500 individuals as reported to the U.S. Department of Health and Human Services. There were also several breaches this year that compromised the PHI of 108,200,000 individuals. The following healthcare providers have been mostly damaged by the PHI data breaches throughout 2015:
- Excellus Health Plan
- Medical Informatics Engineering
- Premera Blue Cross
- UCLA Health
If you’re in the health IT sector, you would have spent a lot of time thinking about the meaningful use of Electronic Health Records (EHR), HIPAA compliance, ICD-10 Compliance, and PHI Security. Over the past year eligible hospitals, critical access hospitals, and eligible professionals are all required to meet and participate in Medicaid EHR Incentive Programs and Medicare. Further, regulations have also evolved and changed and now state Medicaid agencies have been provided time until the January 1, 2018 to comply with all new requirements.
Why Are Cybercriminals Targeting PHI?
PHI and EHR are very attractive to hackers as it’s rich with personal data which can be used to steal identities to obtain products, benefits, and services. According to the Ponemon Institute, 59% of PHI was used to obtain treatment services while 52% saw their information used to acquire Medicaid or Medicare. However, only 14% of breached PHI data was used to open fraudulent credit accounts. What’s even more disturbing is that 23% of the individuals surveyed stated that their medical records were modified by the hackers.
So it’s no surprise that criminal enterprises are targeting PHI as there’s money to be made with the data. If you surf through the dark web, you can easily find PHI being sold anywhere from $10--$20 per individual record. Further, your PHI can easily be coupled with personal identifiable information to build in-depth profiles of individuals known as “full identity kitz.” These days, this information sells for about $1,000 on the dark web.
As a result, healthcare providers need ensure that they only collect information that they’re able to keep secure. Unfortunately, this does not always take place as the HIPAA compliance has given providers the illusion of security. The issue with HIPAA is that it focuses too much on the privacy of the individual and doesn’t give much thought to security.
Rapid change to the current system is necessary to ensure that providers keep PHI secure and avoid breaches. Data breaches can impact a provider’s reputation and as a result it could have dire consequences for the healthcare brand.
Individuals can also help if proper protocols are installed into every practice no matter how big or small. If your laptop has sensitive data on it, steps should be taken to ensure the security of that data in case the device is lost or stolen. Guidelines provided by the Federal Trade Commission is a good place to start when approaching the topic of Medical Identity Theft. Patients on the other hand can also help themselves by being alert to any charges that might be suspicious.
PHI Security is the Number One Priority for Healthcare Providers
According to a study conducted by Health IT Outcomes, EHR is no longer a top security initiative as PHI security has grown in importance over this year. Although EHR is still a major concern in the industry, it wasn’t considered to be that important at this point of time. Further, the study suggests that the focus for the new year would be a combination of security issues rather than a focus on one issue like ICD-10 Compliance in 2014.
Security Management – A Seven Step Approach
The Office of the National Coordinator for Health Information Technology has come up with a seven step approach to security management. Reviewing these steps can also give IT professionals in healthcare a good idea if they’re following the right protocols to ensure PHI security. Further, if some of these steps haven’t already been taken, it’s also a good idea to implement it immediately.
Step 1 - Lead Your Culture, Select Your Team, and Learn
The first step here is to focus on your EHR development team and hire the best individuals to carry out the job. This would entail designating a security officer and using qualified professionals to perform security risk analyses. Further, create a culture where EHR/PHI developers have discussions about HIPAA Security Requirements on a regular basis. This can in turn ensure that knowledge of HIPAA rules is refreshed in their minds and any changes are identified in a timely manner. Finally, use tools to identify and preview security risks and embrace a work environment that is focused on securing patient information and protecting patient privacy.
Step 2 - Document Your Process, Findings, and Actions
Under the HIPAA Security Rule it’s required that all activities, policies, and procedures are well documented. By keeping record, a wealth of knowledge can be built and used to enhance security protocols.
Step 3 - Review Existing Security of ePHI (Perform Security Risk Analysis)
By performing risk analyses, vulnerabilities in the system can be identified. Further, it will also provide opportunities to enhance security within the IT ecosystem.
Step 4 - Develop an Action Plan
Keep developing an action plan and keep revising it. Further, keep educating staff about ongoing security analyses and ensure that security is a priority. The action plan should also have a clear structure of responsibilities and should always involve a PHI/EHR developer. The action plan will need to incorporate organizational standards, physical, administrative and technical safeguards, procedures, and policies.
Step 5 - Manage and Mitigate Risks
This process will require an implementation of an action plan, educating and training staff to reduce breaches, clear communication with patients, and updating business associated contracts.
Step 6 - Attest for Meaningful Use Security Related Objective
Meaningful Use Programs were developed to help providers transition to EHRs to improve efficiency, quality, and safety of patient healthcare. Register for the EHR Incentive Programs after fulfilling the security risk analysis. Theoretically, don’t attest until a risk analysis has been performed, documented, and deficiencies have been identified and resolved.
Step 7 - Monitor, Audit, and Update Security on an Ongoing Basis
HIPAA Security Rule mandates that audit controls are incorporated and used. This will enable monitoring of effectiveness and adequacy of security protocols. Further, it’s a good idea to get another IT administrator and EHR developer to work together on the audit and monitoring functions. The functions also need to be scaled to the size of the healthcare practice.
PHI and EHR security protocols will continue to evolve next year and those in health IT need to stay on top of any changes. 2016 will also see a trend of driving costs down while improving patient and staff engagement, integrity of revenue, technology tools, and provider integration and consolidation.
Consolidation and integration processes have already started on merging physician and hospital revenue cycles under a single platform and leadership structure. However, there will be an expansion of post-acute care services. Patient engagement and satisfaction is also becoming vital as Medicare ties patient satisfaction to reimbursement. So expect a lot more changes to take place over 2016.