Data breaches are worth worrying about. So are failed meaningful use audits. And these 2 topics are related. Hospitals and physicians have most often failed meaningful use audits because they did not document that they completed a security risk analysis.
But auditors aren't the only danger. One study published in May 2015 by the Ponemon Institute found that, while lost or stolen laptops containing patient data are still one of the leading causes of data breaches, there are other, more common threats to data security. The most common are criminal activity, spear phishing, and malware. If highly secure government systems like the IRS and systems of top academic medical centers like the University of California, Los Angeles, can be hacked, then what can a medical practice do to protect itself?
There is a lot at stake in terms of money and hassle if someone hacks your system. Fines from the Office of Civil Rights for the breach can be significant, but other expenses could include, in addition to staff time, free credit reports for affected patients, information technology consulting fees to make corrective actions against future breaches, and fees or licenses for software upgrades.
Health care is particularly vulnerable, so taking appropriate preventive measures is worth the effort. Some of these threats can be minimized by some fairly simple actions. At the very least, practices would be well advised to conduct and document an annual risk analysis. After the analysis is done, a practice could create something as simple as a cover sheet that states: “[Practice name] conducted a security risk analysis on MM/DD/YY. Security updates were implemented, deficiencies were corrected, and mitigation plans were implemented.”
Here are some tips to minimize the chance of a data breach:
Is your antivirus and firewall software the latest available? It is important to make sure that you have a reputable software program and that updates are downloaded regularly. Have a policy in place that ensures that there is a process to update and run checks on all computer systems in the practice.
Do you know your business associates? Many breaches occur not in the practice, but through its business associates. Be sure that your agreements with your business associates address privacy, security, and data breaches. Some examples are your electronic health record (EHR) vendor, data registries, billing and practice management vendors, collection agency, and cloud storage provider. It is not enough to expect that your certified EHR and practice management vendors are HIPAA compliant. It is still the practice's responsibility to protect patient data.
When did you last conduct a security analysis? One of CMS's core measures for meaningful use requires that practices “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” To achieve this measure, the practice must conduct an annual risk assessment. HIPAA also requires that practices implement administrative, technical, and physical safeguards of patient data.
The Office of the National HIT Coordinator developed an interactive online tool (paper versions are also available) to help practices conduct a thorough security risk analysis. ACP's HIPAA Security Manual includes a security risk analysis. If a breach occurs after your practice has taken all these precautions, more guidance on breach notification rules can be found online.