7- DATA, DATA,& MORE DATA IN HEALTHCARE by PHARMAGEEK

Inga Goddijn, executive vice president of Risk Based Security, said in an interview with HealthITSecurity that healthcare providers are an attractive target for cyberattacks, which is dangerous for the industry. 

The 2021 Mid Year Data Breach QuickView Report studied 1,767 publicly reported data breaches in the first half of 2021.  

“The healthcare sector remains in the crosshairs, accounting for the most breaches through June 30th,” the report states. 

A total of 18.8 billion records were exposed in those breaches and it shows a decline of 24% according to the report.  

“The decline in breach disclosures comes primarily from locations outside of the United States, including breaches originating from unknown origins. In the US, the number of reported breaches increased by 1.5%,” according to the report.  

The report covers data breaches publicly disclosed between January 1 and June 30, 2021. 

“From the perspective of attackers, healthcare providers are a good target,” Goddijn stated in the interview. “Downtime can literally be a matter of life and death in some circumstances, making service interruptions especially difficult to tolerate.” 

“Add to that the high value data many providers have flowing through their systems that can be sold on the underground markets for stolen data and it's clear why healthcare makes an attractive sector to target,” Goddijn noted in the interview.  

Although the study shows a slight decrease, ransomware attack are continuing.  

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” Goddijn commented in a press release. 

“The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances,”  Goddijn concluded.  

With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached. 

The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult. 

Do not place your bets on good luck or assume that the system you currently have will prevent a breach. It’s impossible to plan for every possibility, and your practice will be better prepared if you view breaches as an inevitability.

So, prepare as if a breach will happen—but keep your focus on prevention, as that is the ideal. 

How to Prevent a Data Breach

Your patients are depending on you to provide them with a safe and secure system, and they are the ones who will be most affected when a breach occurs. Here are a few tips to ensure that your system is as secure as it can be, adapted from this resource:

1. Test, test, test. 

First, make sure your current system is effective. To do this, you must test the system. This means performing constant random testing—data breaches are random, so your testing should be as well—as well as conducting a yearly risk assessment. 

2. Restrict access to patient information. 

One of the key concepts of the Health Insurance Portability and Accountability Act (HIPAA) is that only those who need to use the data have access to it. Make sure that the systems you have in place only allow employees to access required information. Furthermore, ensure each employee has his or her own login information, as this makes audit trails easier to follow. 

3. Educate.

Make sure you provide constant, current education for both yourself and your employees about HIPAA compliance and the impacts of a health data breach. 

4. Deploy encryption technology and monitor devices and records.

Be sure to employ technology that protects the PHI stored on the devices. This should be done through the use of encryption technology for all your data and hardware—whether the data is stationary or in motion. This is a standard that you should always keep up to date. Make sure that your system strictly manages identity and access, so that only those who need to use the information, can. 

While HIPAA does not require data encryption, the Health Information Technology for Economic and Clinical Health (HITECH) Act states that if encrypted data is stolen, this does not constitute a breach. 

There should also be strict rules for employees who use their own devices to access information, as this can lead to breaches (i.e., if those devices end up lost or stolen). Educate employees on how to secure their belongings, and perhaps encourage them not to store their data locally. 

5. Review and modernize IT infrastructure.

If you work in a hospital or large practice, subnet your wireless records. This way, you can provide Wi-Fi to your patients while also ensuring that they are unable to access records. 

If you use a cloud system, it’s crucial that you read over the contracts carefully. Make sure you will still be HIPAA-compliant and that the systems will be secure. 

You may want to invest in quality IT staff to work on these networks. The individuals you have will determine whether your systems will work and will be there to defend you against breaches.  

6. Collaborate with compliant business associates.

It is likely that you currently have business associates—or that you will have one or more in the future. Business associates can assist in locking your information in a safe place, but this means that they have access to PHI. Make sure that your business associates are compliant with HIPAA and that they have the proper security procedures in place to prevent breaches.

7. Invest in a good legal team.

Remember, as helpful as these tips are, you must view a breach as inevitable. Even if you do everything right, bad things can still happen. Investing in a good legal team allows you to know that even if something goes wrong, you have a plan to move forward.

How to Respond to a Data Breach

Now, let’s assume you’ve set up an appropriate system to prevent a breach, but something has happened, and your patients’ PHI has been accessed. Let’s look to what steps you should take.

1. Conduct an initial assessment of the breach.

Once you have discovered a possible breach, you need to conduct an initial assessment of the situation. This can be done through creating a task force. This group will need to determine:

1. What went wrong? 
2. Was any PHI compromised? 
3. When did it happen?
4. Who is responsible?

2. Address the risks.

Now it’s time to fully dive in and determine what happened and how. That way, you can ensure it does not happen again. This can be done through conducting a root cause analysis—and documenting the steps you take along the way. When looking through your data, you should have documentation including:

• policies and procedures for security and privacy,
• details on employee education and awareness programs, and
• evidence of disciplinary action taken on employees. 

Don’t limit your focus on the system that experienced the breach. If something went wrong in one system, it is highly likely the same thing can and will happen in another system. 

3. Notify the appropriate parties. 

Even though it is difficult, it is necessary that you notify all the appropriate parties of what has happened. While you might be worried about losing patient trust, patients prefer to know the truth. 

4. Manage the consequences.

After you’ve studied the causes of the breach and reported your findings to the appropriate parties, it is possible that you will be investigated and have to pay legal fees. Remember, HIPAA laws were created to protect the patient, not the practice. 

As previously mentioned, your relationship with your patients may suffer because of the breach. So, after you’ve taken appropriate measures to combat the breach and implement new security measures in your system, you must take steps to rebuild your patient relationships. If this situation was something outside of your control, explain this to your patients. Patients appreciate honesty and transparency. 

If you are struggling to handle the breach, reach out to legal counsel for assistance. There is no shame in asking for professional help.  

5. Don’t panic. 

Remember, you prepared for a breach, and you’ve done damage control. Sometimes things happen that you cannot prevent, and all you can do is react appropriately. Review what happened and make sure that you took all the proper measures to ensure the same thing does not happen again.