Q: What do you recommend to hospitals, physicians and other providers to minimize the risk of a breach of confidential patient information and to lessen the degree of harm in the event of a breach?
A: I recommend creation in advance of a response process to enable a rapid, sensible response. The goals in such a plan (“Incident Response Plan” or “IRP”) are to demonstrate compliance with HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) regulations and to mitigate any harm that may result from the breach.
Q: What specific steps should be taken to prepare for a breach?
A: The first step is to create an IRP that includes all appropriate parties and to appoint someone in the practice or facility who is knowledgeable about HIPAA and HITECH requirements. The second step is to make certain that the process created is a quick, sensible one. In addition, information technology (IT) components, such as encryption throughout the process, are imperative. The safe harbor provision of the breach notification rule establishes a certain standard of encryption and relieves the provider from breach notification responsibilities if the protected patient information has been properly encrypted. Most breaches result from lost IT assets such as phones, laptops and iPads. Fourth, the IRP must be supported by sufficient employee and staff training. I also recommend that you adequately document that this training took place. Finally, insurance should be in place to provide for risk transfer as needed. Cyberliability is a continually developing area along with a range of products that foresee types of breaches and predict costs that may be incurred.
Q: How do such losses occur?
A: Along with loss of IT assets, misdirected faxes, disposal of nonshredded records, inappropriate disposal or destruction of paper, such as placing material in a dumpster without shredding and mailing patient information to incorrect address. Intentional loss or compromise of data can occur through a combination of IT and social engineering, such as where a person is tricked into clicking on a hyperlink or revealing a password. This occurs with Spear phishing or false emails inserting malware in a system and is very difficult to control. In the case of Cryptolocker, the perpetrator makes a threat and requires payment to restore prevention. This also is called ransomware and can make the system and information completely inaccessible to everyone in your organization, effectively stymieing patient care and business operations.