Many physicians and practices will agree that the continued implementation of electronic health records and other healthcare technologies is too much for the government to regulate on its own.
So while this influx of digital data is great for improving health care, it ups the ante for hackers and thieves to steal valuable personal health information.
Case in point: a report by IT security audit firm Redspin recounts US Department of Health and Human Services data to confirm data breaches from unencrypted devices were up 525% in 2011, or 385 instances since 2009.
How can you help decrease the stunning number of yearly medical data breaches? Healthcare organizations need to act as their own watchdogs, so to speak, to protect their patients – and themselves – from the dangers of a data breach.
Medical Data Breach Repercussions
HIPAA legislation pins blame on organizations defined as covered entities for data breaches, namely doctor’s offices, health insurers and hospitals. The HITECH Act broadened the definition to include business associates as well.
The consequences of a data breach for any of the groups above extend past ruining reputations. Fines alone are much greater than they used to be – $100-$50,000 per violation. Maximum fines can reach a possible $1.5 million in penalties, which is reserved for cases where willful neglect can be proven as a cause for the breach.
Furthermore, not only does the HITECH Act require affected patients are notified of personal health information breaches individually, but any data breach involving more than 500 patients must be reported to that state’s media outlets.
Is Data Encryption Necessary?
For starters, the HITECH Act does not classify the loss of encrypted data by a covered entity as a data breach. Still, data encryption alone doesn’t shield organizations from data breaches.
Back-up hard drives, the network and hardware (laptops, flash drives, flash drives, smart phones) should also be encrypted to keep data private. There are also higher levels of encryption. While HIPAA requires data is encrypted at 178 bits, your software provider may offer 256-bit encryption, which is considerably more secure and beneficial to your practice.
Lastly, encryption is not sufficient on its own, seeing as it doesn’t protect data when it’s being exchanged over a network, or even when the computer is in use.
Preventing a Data Breach
So what other data protection methods can you exercise? There are several steps and precautions your practice can take, including:
- Adhere to the National Institute of Standards and Technology’s (NIST) Risk Management Framework to evaluate all IT systems containing personal health information at your practice and ensure they’re in accordance with HIPAA standards.
- Adhere to the HIPAA-compliant NIST, International Organization for Standardization and Health Information Trust Alliance standards when formulating an EHR security protection program.
- Divide patient and guest data in an attempt to keep networks secure.
- Consider giving administrators login and authentication on computers and networks at your practice, including controlling access and validating privileges.
- Learn to dispose of computer equipment properly.
As healthcare IT becomes more advanced, new security issues will arise, so it’s important to keep up with current conflicts to protect your patients and your practice.
What measures has your practice implemented to help prevent data breaches?