Security breaches, Alert raise question: Are your patient data safe?
Security breaches, Alert raise question: Are your patient data safe?
Survey finds 93% of mobile devices are at risk of exposure
Do you assume your patient data are secure? You might want to take a second look. SecureWorks, an Atlanta-based security services provider, is blocking an average of 15,543 attempted hacker attacks a day per health care client, compared to an average of 1,581 attacks per day per bank client.
It's easier to steal electronic data because they're so compact, says Waldene K. Drake, RN, MBA, vice president of risk management and patient safety at Cooperative of American Physicians in Los Angeles. "It's easier than a box of records," she says.
Two major cases of compromised patient data occurred in 2008, and one of those cases resulted in a $100,000 fine for the provider. And those incidences are not isolated, according to data security experts. A recent international survey of outpatient surgery providers and others found that 93% of mobile devices are at risk of exposure.1 In the United States, almost half (49%) of providers surveyed who have mobile devices download patient data, including records and images, onto those devices. That practice could violate the Health Insurance Portability and Accountability Act (HIPAA) if the data aren't properly encrypted, said the surveyor, Credant Technologies, a Dallas-based security software company.1 Almost three-fourths (71.7%) of those surveyed use only passwords to protect data.
"Weak security leaves these users vulnerable to hackers, spammers, and identity thieves," according to Credant.1
Physicians and staff increasingly work from home, and laptop thefts are increasing, Drake says. More than 13% of respondents to the Credant survey have lost a device that had confidential information or know someone who has. More than 21% are not confident about the security of their mobile devices, according to the survey.
Record the model and serial numbers of all portable devices provided by your center, Drake says. "You can give police some information if it is stolen," she says.
National groups target patient data
National groups are responding to the security threat to patient data.
As of Nov. 1, 2008, under the Under the Fair and Accurate Credit Transactions Act of 2003, creditors of covered accounts are required to comply with "red-flag" regulations from the Federal Trade Commission (FTC) that require them to establish a program that can detect, prevent, and mitigate medical identity theft, according to the American Medical Association (AMA). While somewhat unclear, those regulations and the FTC's informal interpretation of them suggest that they will be applied to many providers, including physicians in all practice settings, the AMA says.
Also, The Joint Commission has issued a Sentinel Event Alert on technology that discusses the increasing interface of devices and IT networks.
To ensure your patient data are secure, consider the following suggestions:
• Have policies and procedures for patient data issues.
The "No. 1, absolutely critical" requirement for security of your patient data is to have written policies and procedures that apply to every individual working in the facility, says Stephen Trosty, JD, MHA, CPHRM, ARM, president of Healthcare Risk Consultants in Haslett, MI.
In your policies, spell out that laptops with medical records should not be left in locked cars, or if they must be, they should be in the trunk, Drake says.
The written policies and procedures specifically should state that unauthorized access to a patient's medical record is contrary to policy and will result in immediate dismissal, Trosty says. "That's one thing I don't think you give people a second chance at," he says.
The policy and procedures should clearly delineate what jobs descriptions have access to what types of information, Trosty adds.
Additionally, some states are passing laws that establish penalties for those who "snoop" into medical records inappropriately and against those who wrongfully disclose protected health information. "These are in addition to HIPAA," Drake says. For example, in California, employees, including nonlicensed staff, and physicians can be fined for inappropriate disclosures. Also some states require disclosure to patients if their data are compromised.
• Avoid downloading patient data onto portable devices.
The best advice? Don't ever download patient information onto a laptop or other portable device unless it's an emergency, Trosty says. "Once you do that, you are potentially compromising the patient information," he says.
For example, if you take your portable device home, and another family member knows your password, he or she potentially could access the data, Trosty says. If you forget to close a file, and the family member opens your laptop, he or she could see the record, he says. "Physicians who take records home will wind up having to come in front of a quality committee or a risk committee or a committee for their department," Trosty says.
Others, including Drake, say if a medical record must be taken out of the facility, use a flash drive that can be carried in a pocket.
• Educate staff on an ongoing basis.
Consider e-mail reminders to keep data security at the forefront of concerns, advises Lorraine Doo, senior policy advisor at the Centers for Medicare & Medicaid Services (CMS). "You could do a monthly notification of 'there's something happening; here are the recommendations,' or 'here are reminders of what our policy requires.'"
Share information on securing patient data with all new employees, Trosty emphasizes. "And the employee should have to sign a document in which they indicate they have been told about this policy," he says. At least once a year, review the policy in a staff meeting, Trosty advises. Document that training in all employee files, and include the training in the meeting minutes, he suggests.
Keep in mind that many security breaches simply are caused by human error, Doo says. "We can rectify that by good and repeated training and awareness of sensitivity of information of which these people are stewards," she says.
Staff can be told to protect the patient data as if they were their own or that of a family member. "Everyone's information has the same right to be protected as your own," Doo says.
Reference
- Credant Technologies. CREDANT Technologies Releases Results from Healthcare Security Survey. Nov. 19, 2008. Accessed at www.credant.com.
Enforcement action taken over security breach
The Department of Health and Human Services (HHS) sent a clear signal last year that it takes the safeguarding of patients' personal information seriously when it took enforcement action against Seattle's Providence Health & Services over the theft or loss of health information of more than 386,000 patients.
Providence's patient information was compromised because electronic media, such as backup tapes and laptops that contained unencrypted information, were left unattended and eventually lost or stolen. These actions compromised the protected health information of more than 386,000 patients. HHS received more than 30 complaints about the stolen tapes and disks after Providence alerted patients and HHS to the theft.
Some of the Providence thefts occurred when the items were left in Providence employees' cars. While HIPAA does not specifically address transportation of personal health information via laptop (or car), the rule does require covered entities to safeguard portable media or devices, including paper charts being moved between offices. (Editor's note: To read HHS guidance on HIPAA's security rule pertaining to electronic devices, go to www.cms.hhs.gov.) While HHS has received more than 6,700 reports of breaches under the Health Insurance Portability and Accountability Act (HIPAA), the Providence case was the first time HHS imposed a fine ($100,000) for a data breach. Also, with respect to HIPAA, this is the first time HHS has required a resolution agreement from a covered entity.
HHS focused the investigations on Providence's failure to implement policies and procedures to safeguard the information. Providence agreed to pay a $100,000 resolution amount to HHS and implement a robust corrective action plan that requires: revising its policies and procedures regarding physical and technical safeguards (such as encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training work force members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for three years.
A security breach last year involving the Walter Reed Army Medical Center in Washington, DC, and other military hospitals exposed sensitive information on about 1,000 patients, according to a statement released by the Army.
The information included names, Social Security numbers, and birth dates. The Army is investigating how the data security was compromised, and Walter Reed officials declined to say exactly what happened until the investigation is complete.
A Walter Reed spokesman did confirm that the computer file was found on a "nongovernment, nonsecure computer network." Officials at Walter Reed learned of the breach on May 21, 2008, from an outside data mining company, which found the file while working for another client.
Do you have safeguards for your patient records?
To ensure your patient data are secure, use safeguards such as passwords and tracking systems, security experts advise.
You should have a system that tracks who accesses records, who reads records, and, perhaps most importantly, who changes data, when they change it, and why, sources say.
"It should be one whereby any phone calls or any contacts, laptop or otherwise, that come in requesting patient information, the system will be able to track the computer identifier or Blackberry identifier and, hopefully, the person to whom the laptop or Blackberry is owned," says Stephen Trosty, JD, MHA, CPHRM, ARM, president of Healthcare Risk Consultants in Haslett, MI.
Such systems have proven useful when celebrities have been treated at health care facilities, he points out. "Passwords that are provided should enable that individual to access only that information that they have a need to know," Trosty says. "The reality of it is that many employees in outpatient surgery center do not have the need to have access to specific medical record information on patients." In fact, you can eliminate employees' access to some software entirely if they don't need it, sources point out.
Determine appropriate safeguards, says Lorraine Doo, senior policy advisor at the Centers for Medicare & Medicaid Services. "Sometimes it's a password, but it needs to be an appropriate password or a strong password," she says. For example, avoid including names, Doo says. Passwords are stronger if they have a combination of numbers and letters, she says. However, from a practical standpoint, it needs to be one an individual can recall, Doo notes. "That's a real balancing act: To do what is safe, but also what is usable."
Passwords should be changed on a regular basis, such as every 30, 60, or 90 days, Trosty says.
Have your system set up so that passwords must be entered by the user, rather than being automatic, says Waldene K. Drake, RN, MBA, vice president of risk management and patient safety at Cooperative of American Physicians in Los Angeles.
Encryption is another safeguard. Only 6.8% of U.S. devices are encrypted, compared to more than 36% in the United Kingdom, according to the Credant Technologies survey. Trosty says, "The encryption will help information from being obtained or from being obtained in manner that can be read or understood."
Joint Commission offers steps to better technology
Alert warns of intertwining of devices, networks
As more medical devices interface with the information technology (IT) networks, providers should re-evaluate their security and confidentiality protocols, according to The Joint Commission, which recently issued a Sentinel Event Alert on technology.
"Medical devices and IT systems have become incredibly intertwined," says Ronni Solomon, JD, executive vice president and general counsel, ECRI Institute, a nonprofit health services research company in Plymouth Meeting, PA. Solomon spoke to the media about the alert.
Providers periodically should reassess compliance with the Health Insurance Portability and Accountability Act (HIPAA) to make sure that adding devices hasn't brought new security and compliance risks, The Joint Commission says.
Most of the advice offered in the Alert is applicable not just in hospital settings, but across the continuum of care, Solomon says. The Alert includes these tips:
- Before implementing any technology, look at workflow processes and procedures to resolve risks and inefficiencies. Involve clinical, clerical, and technical staff.
- When planning and selecting systems, include staff who ultimately will use or be affected by the technology and IT staff who have a strong clinical background. If medication is involved, include a pharmacist.
- Determine your technology needs, such as communicating discharges, beforehand. Require IT staff to conduct field trips to look at integrated systems.
- During implementation, monitor problems on an ongoing basis and address them quickly, possibly with the use of an emergent issues desk. Brainstorm across disciplines to improve the system and give vendor feedback.
- Train all staff, and provide frequent refresher classes. Focus training on benefits. Have a short time between orientation and implementation.
- Have policies that spell out staff responsibilities.
- Use standardized order sets and guidelines that have been tested and approved by the pharmacy and therapeutics committee (or equivalent) before the technology is implemented.
- Develop graduated safety alerts that spell out urgency and relevancy. Review skipped or rejected alerts. Determine which alerts should be hard stops, and provide documentation to support the decision.
- Require review and approval of physician orders outside of the usual parameters. Use the pharmacy and therapeutics committee (or equivalent) to approve all electronic order sets and clinical decision support alerts. Ensure proper label design, cut out do-not-use abbreviations and dangerous dose designations, and ensure that nurses have accepted the medication administration records (MAR).
- Ensure the environment is not distracting when staff members are using the technology.
- Continue to enhance the system's safety and error detection.
- Keep reporting errors, near misses, and close calls associated with the technology.
- Use a root-cause analysis to examine system errors and multiple causations.
To access the full alert, go to www.jointcommission.org.
Do you assume your patient data are secure? You might want to take a second look. SecureWorks, an Atlanta-based security services provider, is blocking an average of 15,543 attempted hacker attacks a day per health care client, compared to an average of 1,581 attacks per day per bank client.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.