Healthcare security breach is widespread and reports indicate that an average of one healthcare organization experiences a data breach every day. Medical transcription outsourcing to a reliable service provider can ensure HIPAA compliant medical documentation practices. However, electronic health records (EHRs) are virtually exist everywhere, making them an easy target for hackers. Industry experts stress that healthcare organizations need to take a proactive approach to safeguarding EHRs, reducing risk of security breach, protecting their reputation, and reducing risk of liability claims.
In 2015, more than 113 million persons were affected by a data breach. Ponemon Institute reports that the average cost of one stolen or lost record is $363. The US Department of Health and Human Services Office for Civil Rights (OCR) received reports of as many as 264 data breaches affecting at least 4.4 million patients as of November 21, 2017.These breaches include hacking/IT incidents, unauthorized access/disclosure, theft, improper disposal and loss. The breaches affected physician and dental practices, hospitals, insurers, medical equipment suppliers and health systems. Rather than just relying on detection software and hardware, healthcare entities have to understand their risks and vulnerabilities, and then take appropriate measures to manage them.
A recent Beckers ASC Review report recommends risk assessment and other steps to reduce risk of data breach in ambulatory surgery centers (ASCs):
Data breach risk analysis: Performing a risk assessment could identify gaps or vulnerabilities that can be exploited to access to PHI, according to HIPAA Breach News (HBN). System weaknesses can expose an organization to liability for breach of confidentiality and invasions of privacy. Inappropriate uses or disclosures of information can cause negative publicity and make patients to choose other providers. IT-related errors and loopholes can corrupt or destroy vital data, or result in inappropriate alteration or manipulation of data.
Education and training: All persons in the organization should be trained on security and privacy rules that apply to healthcare and the impact that they can have. Participation in cyber protection means understanding what’s happening in the wider security landscape. All staff should know why PHI needs to be protected and also informed about the importance of observing and reporting suspicious events. Regular training sessions and annual reorientation can keep staff up to date on these matters.
Policies specific to ASCs: The Beckers ASC Review report says that ASCs need to implement certain policies that are specific to their needs:
- High-profile patients: ASCs need to take special care to keep records of high-profile patients private and confidential. This can be done by assigning an alias within the EHR for them, and restricting access to the “need to know” list. At the same time, exemptions will be needed to allow internal access for treatment, administrative or other specific purposes. Frequent audits should be conducted to identify who is accessing these records and whether they have a legitimate reason to do so.
- Bring Your Own Device (BYOD) policy: BYOD policy should be properly defined. The best policy would be to include only organization administered devices. If physicians, nurses and administrative staff are allowed to access PHI on personal laptops, tablets and smartphones, the parameters should be defined. Requirements for device encryption should be spelt out. Phones can also be issued internally to staff members, an expensive but worthwhile investment option to protect PHI.
- Secure storage, destruction and disposal of PHI: There should be clearly defined policies for retention and destruction of PHI in paper and electronic format. Data backup is also crucial.
- Encryption: Encryption is essential to protect PHI. The data encryption policies of medical transcription companies are a good example. Data encryption ensures that data is protected at all times.
- Physical security: This includes the use of alarm systems to prevent break-ins and access to computers via an unlocked office. Care must be taken to ensure that paper records are not stored in an area with unrestricted access, especially in buildings with space constraints.
- Define staff responsibilities: Privacy and security job descriptions must clearly spell out who is responsible for privacy and security.
It is important to keep online traffic concealed with block tracking cookies. This will limit the ability of third parties to follow online traffic and prevent unauthorized persons from accessing secure accounts. Performing regular audits is an important best practice when it comes to security. Security audits should be done annually. Failure to perform HIPAA-compliant security analyses can attract penalties starting in the $100,000 range.
Most healthcare providers partner with a third-party vendor for medical billing and coding support as well as medical transcription services. It is critical to choose a vendor whose security measures meet the highest standards. As incidents of PHI breach increase, only a proactive approach can safeguard patient data and reduce the risk of cyber attacks.