Author – Justin Schwartz M.P.H., Atlantic Tomorrow Office
Don’t be fooled into complacency!
You and your patients are probably more familiar with security risks, the costs, and hassles associated with inadequate data protection than you realize.
Consider these examples:
- Have you ever been the victim of a computer virus, or do you know someone who has?
- Are you concerned about what would happen if the computer hard disk storing your patients’ medical information failed? What if it was your medical information?
- Do you worry about the next ransomware attack or cyber breach that exposes patient data?
- Do you worry that someone might eavesdrop on your wireless communications? Do you worry about how mobile communication is occurring?
- Are you concerned when a major pharmaceutical company unintentionally distributes the e-mail addresses of hundreds of patients taking an antidepressant medication? What are the repercussions?
The widespread use of computers, smart phones, software, and networks to exchange digitized data creates new vulnerabilities. It also reveals new dimensions to old risks. Much of the problem with computer security is however of our own making – the result of our love of convenience and our drive to be more efficient. Technology automates routine, mundane tasks. By storing compacted, bite-sized information inside machines, we are able to collect data more easily, analyze it in new ways and cut down on storage costs.
In reality, we have a false sense of security that our data is safely tucked away. Computer storage devices can be broken or damaged, and the information in them can be erased or corrupted, exposing the data to unexpected change or loss. It is possible to steal thousands of medical records by downloading them onto a small storage device, which can easily be hidden in a pocket. Breach, theft, loss are all part of the security mix that must be addressed, however balanced with efficiency, access, and knowledge. Not always an easy request.
Similarly, we find networks of computers wonderfully convenient for sending messages across any distance at almost the speed of light. We delight in email, file downloads, instant messaging and mobile networks in our new instant-results, data-driven world that we live in. But the Internet has no borders or natural boundaries, making it easy for attackers to strike from a distance and to hide their whereabouts. The dilemma is quite real. Any time we connect our computers to the Internet, we instantly become vulnerable to new kinds of attacks, such as viruses and worms that can literally get inside our computers and alter, destroy or release confidential information and introduce new threats such as ransom attacks.
One problem merits special mention. Computers have made the issue of identity much more problematic. People have always been able to use someone else’s identity for criminal purposes, but the problem is exacerbated when we can’t use a person’s face, signature or other physical means to confirm their identity.
- How do you know the person sending you e-mail is truly the person he or she claims to be?
- How do you know the person whose name is attached to an electronic health record (EHR) entry really made it?
Due to this vulnerability, hackers use computer viruses to propagate their nastiness, using technology to steal money and goods.
The importance of encryption. It is important to understand what encryption will do and when it is necessary. Contrary to what many people are saying, the HIPAA security standards do not require emails, or any other transmission from a doctor’s office, to be encrypted. The standards do require your practice or organization to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities. If they are, you should consider some form of encryption. With increased threats of breach, and the healthcare industry a prime target – encrypting communications should be considered a no-brainer for most organizations.
Here is a list of electronic data transfers and communications commonly used in health care that should be considered for encryption:
- a) Patient billing and administrative information exchanged with payers and health plans;
- b) Utilization and case management data, including authorizations and referrals that are exchanged with payers, hospitals, and utilization management organizations;
- c) Patient health information (PHI) gathered from or displayed on a Web site or portal;
- d) Lab and other clinical data electronically sent to and received from outside labs;
- e) Word-processing files used in transcription and other kinds of patient reports that are transferred electronically;
- f)Emails or text messages, including images and attachments, between care giving teams (physicians, specialists, nurses, pharmacists, patients etc.).
Care Taker Mobility and Security. Computer security must now also stretch to encompass the device. The industry as a whole has embraced mobility. Smart phones and tablets have become a way to increase productivity, increase patient engagement and provide superior patient care. Rapid response, collaboration, and knowledge sharing over text has grown significantly amongst care giving teams in order to provide better service and improved experiences for the patient and care givers. Estimates show that upwards of 95% of healthcare professionals, physicians and nurses use their smartphones and tablets for work – whether sanctioned or not.
The mobile device itself introduces its own list of security issues as we know, however we must consider the data stored, shared and transmitted on these devices and how that information is kept safe as well. To address use case concerns such as those listed above – secure, ephemeral and compliant messaging apps provide a secure means in which to collaborate between care giving teams and payers, enabling health care professionals to utilize text in an HIPAA compliant manner. Protection of PHI, PII, IP, and integration with the EHR to ensure privacy and completeness of the patient record can now be ensured.
The bottom line is this: Computer security is a requirement for any sound business, including your medical practice, hospital or agency. Computer security is needed to protect the privacy of those whose information you store and manage. It is also needed to protect you and your practice from the risk of penalty and legal liability in the case of breach.
Healthcare organizations have two choices:
- a) Delay learning about computer security and risk playing catch-up when an attack or accident causes harm to a patient, your hospital, agency or practice. We all know far too well how this turns out – you risk reputational damage and heavy fines in this scenario.
- b)Proactively plan for and implement necessary security and the appropriate technologies based on your organizational requirements. This will allow you to detect and prevent costly trouble down the road.
We would love to discuss this topic more with you. To find out more about Atlantic Tomorrow Offices and Vaporstream, or about Secure Messaging and how it can be utilized to improve your security profile, contact us.