The network of Community Health Systems, one of the largest U.S. hospital companies, was hacked in August 2014, with data of about 4.5 million patients reportedly stolen by Chinese hackers.
This is the largest attack of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches, according to the Chicago Tribune.
Here are five things ambulatory surgery centers and physician practices should know about hacking into patient records.
1. Hackers are increasingly targeting patient records. The hackers of the CHS network reportedly stole names, addresses, birthdates and Social Security numbers. As a Reuters report notes, "Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances."
Dell SecureWorks noted that "an individual healthcare record is worth more on the black market than a U.S.-based credit card and personal identity with social security number combined."
The Identity Theft Resource Center reported it recorded 614 data breaches in 2013, with the Healthcare sector accounting for 43.8% (269) of the total breaches. The healthcare sector overtook the business sector in number of breaches for the first time since 2005, when the Identity Theft Resource Center began tracking data breaches.
2. ASCs and practices may be appealing targets for hackers. While hacking an ASC's or practice's network may not yield close to the number of patient records stolen from CHS, there are still many reasons why hackers may target smaller organizations. Smaller organizations typically dedicate fewer resources to IT security and lack enterprise-type security measures, making it easier to hack their network. With less investment in IT security, a breach may not be discovered for some time, during which hackers can continue to copy and transfer out data added to the system.
3. Hacking can create significant financial challenges for an organization. The HITECH Act and HIPAA Omnibus Rule have substantially increased possible civil penalties for noncompliance. When a HIPAA violation is due to willful neglect and is not corrected, fines are $50,000 per violation, with an annual maximum of $1.5 million. Even "accidental" HIPAA violations can lead to significant fines (view the possible civil penalties here).
On top of these possible fines, an organization that is hacked may incur expenses associated with informing the affected parties, media and Secretary of Health and Human Services of the breach; investigative costs to identify the cause of the breach, who was affected and steps to prevent future breaches; legal fees; establishment of a call center; and credit monitoring costs.
4. Hacking can severely damage an organization's reputation. Less than one month after Target revealed it had suffered one of the largest data breaches ever for a U.S. retailer, the company's customer-perception level dropped to an all-time low, according to a MarketWatch report.
When data on a business's customers is stolen, that business's reputation as a trusted provider of services will likely suffer. It can take quite a bit of time and money to try to rebuild trust in the organization, and as these efforts are underway, an organization is likely to see a decline in its business. For an ASC or physicians practice, a substantial, sustained decline in patients and cases can prove devastating.
5. There are many steps ASCs and practices can take to improve the security of their patient data. ASCs and practices are not powerless to prevent hacking. Steps to take include the following:
- Install antivirus/antimalware and intrusion detection software.
- Keep these programs up to date and active.
- Limit the use of laptops, pen drives and tablets to hold patient records.
- Make sure staff are trained in HIPAA.
- Take steps to confirm any business associate and business associate subcontractor that handles patient health information is following HIPAA.
- Cease use of unsupported operating systems and software, such as Windows XP.
- Develop a password complexity policy.
- If patient records must be accessed from outside the facility, it should only be done securely. Ensure there is an encrypted method for remote data access.
- When staff members leave the facility, immediately remove these users from the system.
- Conduct a regular security IT audit, which is a comprehensive review and examination of IT used within an organization. IT security audits should be conducted by a qualified third party, such as PriorityOne Group, regardless of whether an IT provider is in place as a third party is more likely to provide a truly objective report.
In addition to these steps, ASCs and practices will also want to confirm — to the best of their ability — that their business associates are following HIPAA rules. Under the HIPAA Omnibus Final Rule published in January 2014, all business associate agreements (BAAs) must be brought into compliance with the Omnibus Rule by Sept. 23, 2014. Failure to confirm BAAs are HIPAA compliant can lead to significant penalties for ASCs and practices if protected health information (PHI) is stolen.
Business associates are vendors with access to your PHI. These vendors may include IT companies, transcription companies, coding and billing companies, consultants, collection agencies and shredding companies, as well as organizations involved in patient safety activities, health information organizations and PHI data storage companies.
In addition to updating all BAAs, ASCs and practices should audit their business associates. This audit process should confirm business associates have the following in place:
- Updated policies, procedures and manuals that the business associate follows to show compliance with HIPAA
- Training provided to all employees on the privacy and security procedures covered by HIPAA
- Mechanisms to train new employees
- Recent completion of a security risk assessment
- Mechanisms in place to ensure maintained compliance with HIPAA
- Documentation of all of these process
Do you have questions about maintaining compliance with HIPAA? Concerned your ASC or practice may be vulnerable to hacking? Contact PriorityOne Group today to schedule a complimentary Technology Assessment!