After a malware incident in 2014, Anchorage Community Mental Health Services (ACMHS) in Alaska paid a $150,000 fine and adopted a corrective action plan to improve the security of its technology resources. The Department of Health and Human Services Office for Civil Rights (OCR) said the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating its IT resources with available patches and running outdated, unsupported software.
ACMHS is far from alone.
OCR keeps a running tally online of healthcare organizations that have suffered breaches of protected health information (PHI) affecting 500 or more individuals. Known informally as the “wall of shame,” the list contains hundreds of examples of lost laptops, thefts, hacking incidents and unauthorized disclosures.
Most behavioral providers are small organizations without significant resources to devote to information security. The person who functions as the compliance officer might wear several other hats in the organization as well, and the providers might depend on a small internal or external IT service organizations to oversee security. Behavioral Healthcare asked experts with experience helping provider organizations improve their privacy and security posture for their recommendations for how to be more proactive about safeguarding their PHI and what to do if they have a breach.
1. Inventory your data
First, it is crucial for small and mid-sized organizations to know what data they have, where it is, and how it is being accessed, says George Bailey, senior advisor for security for Purdue Healthcare Advisors in West Lafayette, Ind. If you don’t know where all your data is, you won’t be sure a breach is completely contained once it happens. Plus, the security controls to put in place will be different when data is regularly accessed, for example, on a laptop vs. a fixed workstation.
2. Complete a risk assessment
Doing a thorough risk assessment is a cornerstone of HIPAA compliance, Bailey says. You’ll want to determine how important backup and business continuity might be, based on your inventory of assets and data.
“You may know you need to have a backup plan, but is it a top 10 priority? A risk assessment will help identify and prioritize some of the remediation efforts,” he says.
Another option becoming more popular with smaller organizations that don’t have a lot of resources is working with a cyberinsurance company, says Rich Kam, president of ID Experts, a Portland, Ore.-based company that provides IT security software and services. Just applying for the insurance can lead the providers through a risk assessment.
“The insurers put tools online for doing risk assessments,” he says. “A questionnaire will walk providers through issues around employee training and updating firewalls.”
3. Make sure training is uniform
Many breaches involve “phishing” incidents, in which an employee is tricked into clicking on a malicious attachment that looks harmless but ultimately compromises security. Only continual training and reminders can prevent that, the experts say. But healthcare providers focused on their patients often don’t think about security training, authentication and access control, Bailey says. He adds that some organizations have certain standards for clinicians and others for administrative employees when it comes to security awareness, onboarding and training. Leaders might assume the clinicians understand that they have to be good stewards of the data, and it is common to skimp on refresher training, he says.
“But those physicians may not understand how to use antivirus software or fundamental things about how to keep data safe,” Bailey adds. “They are a weak point in the security.”
If it happens to you
So what should you do if your organization experiences a breach? Obviously, it depends on circumstances: whether it is a lost or stolen laptop, a malicious hacking event, or even a misplaced paper file. But if you look at the wall of shame on the OCR website, the majority of breaches involve smaller organizations and there are trends among them, says Sarah Badahman, CEO of St. Louis-based HIPAAtrek, a HIPAA compliance organization.
“A lot of them are losing laptops or other devices that have PHI on them,” she says.
Loss is an easy thing to correct, however. It all comes down to education: Don’t leave laptops in cars or other locations where are they are easy targets for thieves. Another simple solution for security: When traveling, don’t access unknown networks.
“Don’t sit in a Starbucks and access patient information—those are unsecure networks,” Badahman says. “Organizations are doing compliance 101 training when they should be creating robust policies and procedures and doing training on those. The issue comes down to viewing compliance as a checkbox vs. compliance as a culture.”