If the Democratic National Committee can get hacked, it’s hard to believe that your dental practice is fully protected. We recently received a call from one of the practices we consult with. The owner discovered one of his employees used patient information to create fake credentials, open credit lines at retail stores, and max out those credit lines before being caught. Another employee opened an email that looked legitimate and, with a single click, the entire office became victim to a ransomware attack. Stories like these prove that almost anything can happen.
Nothing is foolproof
The health industry loses about $6 billion annually to data breaches, which experts predict will affect one third of all health-care recipients in 2016. The problem is, even with proper precautions in place, data breaches can still occur at practices. In an attempt to diminish these losses, the U.S. Department of Health and Human Services Office for Civil Rights is now performing random audits.
Because offices collect names, dates of birth, Social Security numbers, addresses, and entire medical histories, technologically unsophisticated entities such as medical and dental practices are proving highly attractive targets for all types of criminals.
This personal information can be sold on the open market to create identity theft. Multiply the number of your patient records by $10 to $50 per patient, and that’s what it’s worth on the black market. Simply Google “credit card dumps” and you’ll find criminal sites that promote hacking and selling stolen information. What’s the world coming to?
What’s required in case of a data breach
Whether a hacker, ransomware attack, or a stolen laptop causes the breach, fully understanding the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule is critical. Breach happens. However, the Health and Human Services will issue material fines and penalties if proper notification requirements are not followed.
For breaches involving more than 500 patients, here’s a brief summary of your responsibilities:
• Perform a forensic investigation into what happened, including all the protected health information that may have been compromised.
• Document the incident.
• Segment patient records by state, age, and whether a patient is deceased. (This is required because different states and patient segments have different notification requirements.)
• Notify all patients.
• Set up a call center to answer follow-up questions from patients.
• Provide identity-monitoring services for patients. (You may have been offered a similar service if your credit card was ever compromised.)
• Publish a press release to local media. Yes, HIPAA requires this.
• Report the incident, typically within 60 days, to Health and Human Services.
• Respond to the follow-up inquiries by the Office for Civil Rights.
• Oh, and while you’re at it, keep your practice running.
For breaches involving fewer than 500 patients, you will still have to notify the patients and Health and Human Services within 60 days after the end of the calendar year. The good news is that you can take steps today to ensure you’re better protected for tomorrow.
Here are five ideas to consider:
1. Get IT involved—Candidly discuss how to limit exposure to protected health information with your IT provider. For example, ask about how you can limit employee access to the internet, especially on the same workstations where patient records are accessed. This is also a good opportunity to put solutions in place to monitor all workstation use and log all activity. Although these solutions might cost money upfront, they will save you thousands of dollars in forensic investigation costs should you experience a ransomware attack or any other data-related event.
2. Educate your staff—Invest in training for every staff member in your practice so they can learn how to better secure protected health information. Clearly communicate password best practices, such as the difference between a strong and a weak password, how to change your password every 90 days, why doing so is important, and more.
Be extra conscious of which employees have access the internet and from which devices. Limit internet and social media access, or set up one station for accessing those websites.
3. Don’t store credit card data—Remove Excel spreadsheets or any other software that stores credit card data. Make sure you’re following Payment Card Industry Data Security Standard requirements by performing a quarterly scan of your IP address and attesting to a self-assessment questionnaire once a year.
4. Be proactive, and plan for the worst—You can’t wait until a breach happens to put a plan in place. Similar to a fire drill, you should be doing a breach drill at least annually. Pretend a breach has occurred, and document the steps your team would take. Who’s included on the data breach team? How will you communicate with one another? What critical steps do you need to take to keep the practice operating? Make plans and diagnose weaknesses by routinely practicing this scenario. Whether your data is held ransom or lost in an earthquake, you need to be prepared to not only restore it as quickly as possible, but also ensure your practice is in full compliance with the HIPAA Breach Notification Rule. This will ensure you can keep your doors open in the aftermath.
5. Protect your assets—The costs of conducting a forensic investigation, notifying patients and regulatory agencies, providing identity-theft monitoring, and paying potential fines associated with a data breach can devastate even well-run practices. The No. 1 step you should take today is securing appropriate asset protection to mitigate risk. This type of financial indemnity is available, and it’s not typically covered under your general liability policy.
In a world where ransomware and credit card and data breaches have become commonplace in medical and dental practices, it’s important to understand your vulnerabilities. Breach happens, but with a little foresight and proper planning your practice will be better prepared, and you’ll mitigate your overall risk. If you would like more information on HIPAA compliance requirements and to quickly see how your practice is stacking up, take a complimentary HIPAA risk assessment.