Article

How to safeguard your patients’ information

In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.

Robert A. Dowling, MDAccording to industry experts, nearly half of all Americans have had their sensitive health information compromised. In this installment in a series on privacy and information security concerns, I will discuss steps you can take to safeguard your patients’ personal information.  

Related: Your patients’ personal information is at risk

In April 2014, the FBI Cyber Division issued a private industry notification entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” and concluded that health care organizations and medical devices are at significant risk for cyberintrusion and theft of personal information (http://bit.ly/FBIbreachreport). Among the FBI’s findings:

  • The health care industry is not as prepared for cyber attacks as the financial and retail sectors.

  • Virtual private networks, firewalls, routers, and especially medical devices are often compromised.

  • Cyber criminals charge $50 for a stolen electronic health record on the black market versus $1 for a stolen Social Security or credit card number.

  • Electronic health record theft is much harder to detect than “normal” identity theft.

In its 2015 “Industry Drill-Down Report-Healthcare,” Raytheon notes that the surge in cyber attacks on the health care industry may be driven by the value of the data: Health care records contain not only identity elements (name, date of birth, Social Security number, address, etc.) but also direct links to financial and insurance information for each patient record (http://bit.ly/Drilldown). Health care networks are often interconnected with devices and other large information systems (eg, insurance companies), making them an attractive target. Health care organizations may lack the technical and administrative resources necessary to combat advanced malware.

According to one private study, criminal attacks-including malicious insiders and/or paper files-are now the leading cause of data breaches in health care and may constitute a $6 billion epidemic (http://bit.ly/Breachstudy). Health care systems are high-value and poorly protected targets.

Next: Steps you should take

 

Steps you should take

What steps can a urology practice of any size take to confront this enormous privacy and security issue?

Raise awareness of the problem with your physicians and staff. They are important custodians of valuable information, and may not appreciate their role in prevention or unintentional facilitation of a crime.

Review your hiring practices and employee policy manuals. Criminal background checks, drug screening, and comprehensive applications are all standard practice in industries that permit employee access to sensitive information. Are they part of your business?

Also see: Watch out for these 7 common EHR mistakes

Conduct formal training for physicians and staff in privacy and security, including but not limited to HIPAA. Consult your malpractice carrier’s risk management division, which may offer this training for free. Any modest investment in prevention and training will pale in comparison to the cost of mitigating a recognized breach.

Review your business insurance policy for coverage of cybercrime-specifically the acts of an insider or intruder who gains access to records containing medical information.

Limit employees’ access to only that information required to perform their specific function.

Perform regular audits of routine access to information systems, and “break glass” access. (Break glass is a method to access a record that has security settings that would not normally allow that user access.) Unauthorized access to personal information should be specifically addressed in your employee handbook.

Next: Engage a certified IT professional to assess to assess your infrastructure, security practices

 

Engage a certified IT professional to assess your infrastructure, security practices, Internet service provider, and employee policies regarding the Internet. Managing a medical information technology environment is beyond the capability of amateurs and do-it-yourselfers; this is the cost of running a medical practice in today’s world.

Read: Extracapsular prostate cancer leads patient to sue

Review and minimize the paper inputs, storage, and outputs in your practice. Specifically:

  • Is your incoming mail adequately protected from theft?

  • Do not print items from your EHR or other information systems unless it is absolutely necessary. Reliance on paper for workflows in the practice carries substantial risk.

  • Routinely shred any paper, no matter how insignificant it may seem.

  • Do not leave documents containing sensitive information unsecured in a lab coat, on a desktop, or on a fax machine, scanner, photocopier, or elsewhere for an extended time.

  • Direct incoming faxes to a file or scan solution-do not print.

  • Remember that most copiers, fax machines, and scanners store information in memory, and that memory is easily accessible by cyber criminals. When replacing or discarding these devices, be sure the memory is erased in a compliant fashion.

Follow best practices for creating complex passwords, protect them, and change them regularly. This includes desktops, mobile devices, and virtual private networks, as well as those systems maintained by vendors who may have their own password requirements.

Next: Report any unauthorized access to the proper authorities

 

Report any unauthorized access of personal information to the proper authorities,including local law enforcement, the FBI, and others as appropriate. These entities collect important information that may detect threats and help prevent future intrusions.

Bottom line: Personal medical information needs to be accessible and shareable in order for physicians and others to render the best possible care to their patients. Criminals have taken advantage of this risk to make health care organizations the leading source of information breaches/theft in the United States. While the risk cannot be eliminated, sensible steps like the ones listed in this article can help mitigate the risk.

More from Dr. Dowling:

Do you know what your 'surgeon score' is?

CMS data offer insights into urologists’ pay

Social media: Why you need to be involved

Subscribe to Urology Times to get monthly news from the leading news source for urologists.

Related Videos
Woman typing on laptop | Image Credit: © Gorodenkoff - stock.adobe.com
Ellen Cahill, MD, answers a question during a video interview
Male doctor examining patient | Image Credit: © Rawpixel.com - stock.adobe.com
Blur image of hospital corridor | Image Credit: © zephyr_p - stock.adobe.com
Diverse group of doctors | © Flamingo Images - stock.adobe.com
Amy Pearlman, MD, answers a question during a video interview
Woman having telemedicine appointment with doctor | Image Credit: © Jacob Lund - stock.adobe.com
Related Content
Electronic smart checklist and document on virtual screens concept | Image Credit: © NongAsimo
November 6th 2024

Money Matters: Go into 2025 strong with this year-end financial checklist

Jeff Witz, CFP
"If you tapped into your emergency fund for any reason this year, it is important to make sure the account is replenished," writes Jeff Witz, CFP.
Health policy in urology: 2024 AUA Advocacy Summit recap
March 21st 2024

Health policy in urology: 2024 AUA Advocacy Summit recap

Urology Times staff
In this episode of Speaking of Urology®, Eugene Rhee, MD, MBA, and Logan Galansky, MD, discuss key topics in health policy and recap the AUA's recent Annual Urology Advocacy Summit.
Young woman paying bills | Image Credit: © fizkes - stock.adobe.com
October 7th 2024

Money Matters: Financial considerations when getting married

Jeff Witz, CFP
"Remember that whether or not it's your first time down the aisle, marriage is a celebration. Don't let all the financial and administrative details that go along with your special day spoil it," writes Jeff Witz, CFP.
How APPs can bridge the gap in urologist shortages
August 28th 2023

How APPs can bridge the gap in urologist shortages

Urology Times staff
In this episode, Janelle Bunce, PA-C, highlights the role that advanced practice providers can play in filling the gaps created by the growing workforce shortages in urology.
ChatGPT shows promise in responding to urology patient in-basket messages
August 26th 2024

ChatGPT shows promise in responding to urology patient in-basket messages

Hannah Clarke
"Generative AI technologies may play a valuable role in providing prompt, accurate responses to routine patient questions––potentially alleviating patients' concerns while freeing up clinic time and resources to address other complex tasks," says Michael Scott, MD.
Man using calculator | Image Credit: © Jirapong - stock.adobe.com
August 23rd 2024

Money Matters: Using donor-advised funds to avoid paying capital gains taxes

Jeff Witz, CFP
"Donor-advised funds are a fast-growing charitable giving vehicle in the US because they are one of the easiest and most tax-advantageous ways to give to charity," writes Jeff Witz, CFP.
© 2024 MJH Life Sciences

All rights reserved.