In today’s hacker-crazed society, finding ways to protect patient data on the Internet is a top priority for healthcare providers.
Hospitals, private physicians, other healthcare professionals and companies are investing millions of dollars in security systems to protect patient data. When security breaches occur, these entities can be forced to pay millions of dollars to settle patient data disputes and lawsuits.
In 1996, the federal government imposed a national policy to protect the confidentiality of personal health data and information, and instituted a minimum set of guidelines to increase security measures.
That federal rule is known as the Health Insurance Portability and Accountability Act, or HIPAA, a familiar acronym used in offices, hospitals and government agencies to protect the release of someone’s personal information.
The HIPAA Security Rule was established as a set of national security standards for the protection of all electronic protected health information that covered entities and their business associates create, receive, maintain or transmit. According to the Office of the National Coordinator for Health Information Technology, the security rule contains the administrative, physical, and technical safeguards that covered entities and business associates must put in place to secure electronic protected health information.
The goal of the security rule is to help health care providers avoid some of the common security gaps that could lead to a cyber-attack and data loss, according to the Office of the National Coordinator for Health Information Technology.
The safeguards aim to protect people, information, technology and facilities that healthcare providers depend on for secure patient care. Each safeguard has different requirements that are applied, according to the federal Health Information Technology guide:
- Administrative safeguards focus on administrative actions, policies and procedures able to prevent, detect, contain and correct security violations.
- Physical safeguards are physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- Organizational standards provide specific criteria required for written contracts or other arrangements.
- Policies and procedures require a covered entity to adopt reasonable and appropriate policies and procedures to comply with the provisions of HIPAA.
An effective HIPAA compliance plan should include Internet applications and files to protect patient data, and to make it difficult for hackers to gain access.
The Fox Rothschild Law Firm features posts by bloggers who write about health law and patient care on its HIPAA, HITECH & HIT Web page (hipaahealthlaw.foxrothschild.com). The articles highlighted their perspectives on a range of topics addressing the rights, protections and pitfalls that can occur in the security of protected health information.
In reality, apparently no individual, institution or government agency is safe from a cyber-attack, not even government agencies charged with the task of protecting all Americans.
The Department of Health and Human Services (HHS), the federal agency responsible for HIPAA enforcement, isn’t immune to hacking, as noted by Elizabeth Litten in her blog “Hackers: Take My Health Information, But Please Don’t Take My Health,” published on the “HIPAA, HITECH” page.
The Washington Times recently spotlighted security breaches at the federal agency. HHS experienced security breaches at the hands of hackers in five separate divisions in the past three years, according to Litten’s blog.
The Times noted “a House Committee on Energy and Commerce report … described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents,” Litten wrote.
“We know it’s not a question of ‘if’ sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but ‘when’ – regardless of who maintains it – and how destructive an incident it will be,” Litten added.
William Maruca, another blogger, opined about the exposure healthcare professionals face as “a result of the negligent disposal of medical practice’s patient records in an unlocked dumpster.”
In other blogs, Litten and Maruca spotlighted instances of HIPAA breaches crossing into the field of professional sports.
Litten wrote about the publicity that followed the ticker-tape parade for the U.S. women’s soccer team in New York City, where shredded confetti apparently large enough for discarded medical information to be legible, rained down from office towers.
Litten and Maruca also discussed the New York Giants’ defensive end Jason Pierre-Paul’s medical record tweet by ESPN reporter Adam Schefter.
After a screenshot of a page from Pierre-Paul’s medical record was tweeted, there ensued a “flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws,” Maruca penned.
In Litten’s opinion, “the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t,” she wrote.
They pointed out the HHS 2002 finding that a professional athlete has the same HIPAA rights as anyone else.
Maruca also believes encrypting all electronic protected health information, especially when transferring it by mail, cloud storage or file transfer protocol (FTP) sites, or saving it to mobile devices, is the way to go.
Encryption is a method of converting an original message or regular text into coded text. It is encrypted by means of an algorithm. There is a low probability that anyone other than the receiving party, who has the key to the code or access to another confidential process, would be able to translate and convert it into comprehensible text, as described in the federal Health Information Technology guide.
Another blogger, Michael Kline, pointed out six steps physicians should use to protect Internet-based patient data. Kline contends the following six tips can help improve the security of protected health information:
- Review the Internet applications your practice uses.
- Ask the application’s manufacturer about its security safeguards.
- Investigate all Internet and external complaints and concerns.
- Keep track of the steps you take to identify and fix the problem.
- Provide a mechanism by which employees can report concerns anonymously.
- Don’t allow staff to use unauthorized public networks.
The federal government also provides recommendations to keep protected health information out of the hands of hackers.
It begins with electronic health records (EHR), which affect the types and combination of safeguards you will need to maintain secure and confidential patient care information, according to the federal Health Information Technology guide.
“Most EHRs and related equipment have security features built in or provided as part of a service, but they are not always configured or enabled properly,” the guide states, adding that it is the responsibility of a physician and the office staff to “keep up-to-date with software upgrades and available patches.” The government recommends vigilance as part of a physician’s regular responsibility.