Data breaches in the healthcare sector are steadily increasing and it’s becoming ever more crucial to keep Protected Health Information (PHI) secure. Losing patients’ PHI has a significant financial impact on providers with the approximate cost per loss of a stolen record estimated to be around $363.
Since the beginning of this year, there have been about 224 breaches of unsecured PHI affecting more than 500 individuals as reported to the U.S. Department of Health and Human Services. There were also several breaches this year that compromised the PHI of 108,200,000 individuals. The following healthcare providers have been mostly damaged by the PHI data breaches throughout 2015:
If you’re in the health IT sector, you would have spent a lot of time thinking about the meaningful use of Electronic Health Records (EHR), HIPAA compliance, ICD-10 Compliance, and PHI Security. Over the past year eligible hospitals, critical access hospitals, and eligible professionals are all required to meet and participate in Medicaid EHR Incentive Programs and Medicare. Further, regulations have also evolved and changed and now state Medicaid agencies have been provided time until the January 1, 2018 to comply with all new requirements.
PHI and EHR are very attractive to hackers as it’s rich with personal data which can be used to steal identities to obtain products, benefits, and services. According to the Ponemon Institute, 59% of PHI was used to obtain treatment services while 52% saw their information used to acquire Medicaid or Medicare. However, only 14% of breached PHI data was used to open fraudulent credit accounts. What’s even more disturbing is that 23% of the individuals surveyed stated that their medical records were modified by the hackers.
So it’s no surprise that criminal enterprises are targeting PHI as there’s money to be made with the data. If you surf through the dark web, you can easily find PHI being sold anywhere from $10--$20 per individual record. Further, your PHI can easily be coupled with personal identifiable information to build in-depth profiles of individuals known as “full identity kitz.” These days, this information sells for about $1,000 on the dark web.
As a result, healthcare providers need ensure that they only collect information that they’re able to keep secure. Unfortunately, this does not always take place as the HIPAA compliance has given providers the illusion of security. The issue with HIPAA is that it focuses too much on the privacy of the individual and doesn’t give much thought to security.
Rapid change to the current system is necessary to ensure that providers keep PHI secure and avoid breaches. Data breaches can impact a provider’s reputation and as a result it could have dire consequences for the healthcare brand.
Individuals can also help if proper protocols are installed into every practice no matter how big or small. If your laptop has sensitive data on it, steps should be taken to ensure the security of that data in case the device is lost or stolen. Guidelines provided by the Federal Trade Commission is a good place to start when approaching the topic of Medical Identity Theft. Patients on the other hand can also help themselves by being alert to any charges that might be suspicious.
According to a study conducted by Health IT Outcomes, EHR is no longer a top security initiative as PHI security has grown in importance over this year. Although EHR is still a major concern in the industry, it wasn’t considered to be that important at this point of time. Further, the study suggests that the focus for the new year would be a combination of security issues rather than a focus on one issue like ICD-10 Compliance in 2014.
The Office of the National Coordinator for Health Information Technology has come up with a seven step approach to security management. Reviewing these steps can also give IT professionals in healthcare a good idea if they’re following the right protocols to ensure PHI security. Further, if some of these steps haven’t already been taken, it’s also a good idea to implement it immediately.
The first step here is to focus on your EHR development team and hire the best individuals to carry out the job. This would entail designating a security officer and using qualified professionals to perform security risk analyses. Further, create a culture where EHR/PHI developers have discussions about HIPAA Security Requirements on a regular basis. This can in turn ensure that knowledge of HIPAA rules is refreshed in their minds and any changes are identified in a timely manner. Finally, use tools to identify and preview security risks and embrace a work environment that is focused on securing patient information and protecting patient privacy.
Under the HIPAA Security Rule it’s required that all activities, policies, and procedures are well documented. By keeping record, a wealth of knowledge can be built and used to enhance security protocols.
By performing risk analyses, vulnerabilities in the system can be identified. Further, it will also provide opportunities to enhance security within the IT ecosystem.
Keep developing an action plan and keep revising it. Further, keep educating staff about ongoing security analyses and ensure that security is a priority. The action plan should also have a clear structure of responsibilities and should always involve a PHI/EHR developer. The action plan will need to incorporate organizational standards, physical, administrative and technical safeguards, procedures, and policies.
This process will require an implementation of an action plan, educating and training staff to reduce breaches, clear communication with patients, and updating business associated contracts.
Meaningful Use Programs were developed to help providers transition to EHRs to improve efficiency, quality, and safety of patient healthcare. Register for the EHR Incentive Programs after fulfilling the security risk analysis. Theoretically, don’t attest until a risk analysis has been performed, documented, and deficiencies have been identified and resolved.
HIPAA Security Rule mandates that audit controls are incorporated and used. This will enable monitoring of effectiveness and adequacy of security protocols. Further, it’s a good idea to get another IT administrator and EHR developer to work together on the audit and monitoring functions. The functions also need to be scaled to the size of the healthcare practice.
PHI and EHR security protocols will continue to evolve next year and those in health IT need to stay on top of any changes. 2016 will also see a trend of driving costs down while improving patient and staff engagement, integrity of revenue, technology tools, and provider integration and consolidation.
Consolidation and integration processes have already started on merging physician and hospital revenue cycles under a single platform and leadership structure. However, there will be an expansion of post-acute care services. Patient engagement and satisfaction is also becoming vital as Medicare ties patient satisfaction to reimbursement. So expect a lot more changes to take place over 2016.
Intersog, a leading technology partner, gains recognition on Clutch's prestigious list for game-changing software developers…
In the shift towards widespread remote work, the adoption of advanced digital tools marks a…
In the quest for innovation, the fusion of AI and Machine Learning with global remote…
In an era marked by rapid technological progress, the fusion of cloud computing and artificial…
Explore Intersog's unique approach to tech recruitment, offering a transparent, direct path to genuine career…
Explore the critical role and innovative strategies of efficient software maintenance for ensuring software stability,…
This website uses cookies.