Why the Target Security Breach Should Concern Physicians & Providers

The recent data breach at the National chain store Target was the latest in what seemed to be a trend of large-scale cyber attacks. The details surrounding each stage of the breach lead to some surprising discoveries about lapses in data security. While Target believed they did everything in their power to protect their customer’s data, a lapse in risk assessment soon became a bigger problem than they ever could have imagined.
Unlike Target, medical professionals are governed by a body that assures stiff penalties if data becomes exposed or accessed without authorization. These penalties are not only for the criminals that access the information but also for the medical professionals who allowed the data to be breached. To avoid being dealt a hefty penalty because of a HIPAA violation, it’s best to make sure that you have an iron-clad fortress around your patient information.

Determining Your Risk Factors

Medical practices are at a significantly higher risk for data breaches than other businesses. One reason is that much of the patient data is stored on-premise where security safeguards are often overlooked or disregarded. Another reason is that multiple employees have access to personal information and proper controls are not in place restricting access. HIPAA sets very specific protocols that medical practices must follow in order to secure patient data (although it isn’t too specific about physician data). However, even with these protocols in place, patient data is still at a significant risk of being breached.

Passwords, security questions, and lock codes only work to deter outsiders, but not authorized personnel. This means that physician practices are at risk for both in-house and outside data breaches.

If you recognize any of the following, you’re already at risk:

 

  • You are a medical office
  • You use an in-house server to store patient information
  • You’ve recently laid off an employee
  • You have frequent turnovers
  • You train interns
  • You use email to correspond with patients and specialists
  • You’re registered as provider with the CAQH
  • You employ the CYOD policy
EHR’s pose a significant risk to data, so physicians must go beyond the HIPAA required security parameters to protect their data. If you don’t, and a data breach occurs, you’ll be at risk for high fines and even jail time!

Safeguarding Your Practice

After reading about security breaches such as the one at Target, you may be thinking that there isn’t much you can do to stop tech-savvy cybercriminals from stealing your patient information — but this couldn’t be furthest from the truth. In fact, there is a multitude of measures you can take to plug up any potential leaks in your current security protocols.

  • Know Your Risks.Perform regular risk assessments with an experienced HIPAA compliance officer. This is the best way to spot potential security risks before they are detrimental to your business. HIPAA requires that all medical practices follow this rule, but you should go the extra mile and conduct one regularly to avoid potential data breaches down the line.
  • Know How to Protect Your Data. According to Symantec, inside neglect accounted for 14% more data breaches than third-party attacks. Enroll in a HIPAA training and compliance course to make sure you’re up to date with recent data compliance changes.
  • Know Where Your Data is Going. At times, your staff will be required to send information to other professionals such as family physicians, specialists, and pharmacists. However, by sending this information online, it increases your risk of data theft. To avoid this, set some parameters for your staff to abide by when sending a patient or hospital data.
  • Dig Deep. As technology continues to evolve, so will the ways in which we transfer sensitive data. Becker’s Hospital Review recommends that physicians spend a little extra money to purchase a security option to monitor their data transfers through every touchpoint. This includes social media.
  • Don’t Use a Generic Data Security Option. Data differs from practice to practice, so you shouldn’t use a generic one-size fits all solution to protect yours. Instead, use the information you gathered from your Risk Assessment and purchase a security system that covers every need you have.
  • Implement Staff Education Standards. Staff often lacks the proper understanding of what is permitted and what is considered illegal. Something as simple as accessing the patient records at a hospital is considered a HIPAA violation if the patient is not under the direct care of one of your physicians. Frequent and comprehensive education needs to be a priority for every office regardless of size or specialty.

By following these steps, you can avoid being the next Target story.

As you can see, the steps to take in order to safeguard your data are surprisingly simple, but often overlooked. There’s very little that you can do once your data has been compromised. So, to avoid paying a hefty fine and putting your patient’s data at risk, be proactive and protect your practice from all possible angles.

 

Resources

http://www.beckershospitalreview.com/healthcare-information-technology/5-best-practices-for-improving-data-security.html

http://www.healthit.gov/providers-professionals/ehr-privacy-security/practice-integration

http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02

http://www.beckershospitalreview.com/healthcare-information-technology/39-of-data-breaches-caused-by-insider-negligence-not-third-party.html