My computer system was hacked. Now what?
Dr. Derm logged into his office computer system, only to find a ransom note from a hacker, asking for money in exchange for the safe return of his patients’ records. While this might seem farfetched, this situation happened to a small medical practice outside Chicago, Surgeons of Lake County.
In that office, hackers broke into the practice’s server, encrypted the patient data, and demanded a ransom. This is not the first instance of such hacking — it certainly will not be the last, as the use of electronic health records (EHR) and electronic medical records (EMR) becomes increasingly widespread.
There is a distinction between EHRs and EMRs — EMRs are records within the office of a single provider, whereas EHRs are linked across multiple offices, though many use the terms interchangeably. As with paper medical records, EMRs have both advantages and disadvantages.
A big advantage over paper medical records is the ease in which huge amounts of data can be accessed and stored — but a big disadvantage is that the transportability of data makes it that much easier to lose or misplace. While losing a paper chart is a problem, losing, for example, a USB drive with huge amounts of patient data multiplies that problem exponentially.
Equally, storing patient data on servers leads to physicians and patients (via patient portals) being able to remotely access their data — but it also opens the door to a determined hacker who could be located anywhere in the world.
The Surgeons of Lake County chose to shut their server down and report the hack to the authorities rather than pay the blackmail. Should Dr. Derm simply chose to pay the blackmail and recover his records or take the chance that he may have to pay fines for breaches in confidentiality, fees for notification, and damage to the practice due to negative exposure?
While the United States has seen a significant increase in EMR usage, it is actually behind the EMR adoption curve compared to many others. Transitions to EMR have had a great degree of success in other countries, such as the United Kingdom, New Zealand, and the Netherlands (where 98 percent of physicians use EMRs) — whereas in the United States the number of physicians utilizing EMR in 2011 was substantially lower.
Despite the challenges and costs, few physicians who have adopted EMR would argue that the inconveniences outweigh the benefits, and few would return to a paper-based format. However, with EMR comes the risk of a HIPAA confidentiality breach.
Big data breaches
The Secretary of the Department of Health and Human Services maintains records of HIPAA breaches, and reports that nearly 21 million people have had their EMR/EHR records stolen or lost — just in the past three years. The largest individual breach was the loss of records for 4.9 million individuals by TRICARE, the healthcare program for Armed Forces members, retirees, and their families, due to a subcontractor losing a cache of backup tapes in 2009.
Eastern European hackers stole the records of 780,000 Utah residents at the Utah Department of Health in 2012, showing that it is not only physicians and hospitals that have to be vigilant. Medical insurance companies are on the hook, too — Blue Cross Blue Shield and Health Net have had breaches of the data of millions of individuals. Eastern European and Russian hackers aren’t the only ones compromising patient data by illegally accessing it. Other instances include employees with access to medical records stealing and selling them, or simply misplacing items of technology, such as a laptop or USB drive.
Dr. Derm is liable for both his own actions and the actions of his employees. A covered entity must have a privacy plan that includes appropriate sanctions for an employee violating the Privacy Rule or the entity’s privacy policies and procedures. The Office for Civil Rights (OCR) within the Department of Health and Human Services is the body that investigates, conducts compliance reviews, and educates if it is suspected that the covered entity is in violation of HIPAA.
If the OCR investigates and discovers that Dr. Derm was not in compliance, it will attempt to resolve the problem by: obtaining voluntary compliance, taking corrective action and/or a resolution agreement. Ultimately, the OCR is able to impose civil money penalties.
Duty to protect data
In light of the possibility of breaches, Dr. Derm has an obligation to adhere to HIPAA and keep his patients’ data safe. There are a host of methods by which this can be achieved, ranging from common sense solutions to more advanced technology based solutions. These solutions need to be balanced with usability, however, so that safety practices are actually followed. For example, requiring frequent password changes and making users choose complex passwords has had limited success in preventing unauthorized access — users are less likely to remember passwords and will write them down or forget them. And no matter how strong password protection is, it won’t prevent unauthorized access if a provider logs in, then walks away from a workstation, leaving the data open and accessible to anyone passing by — protection of data must also include procedures that staff actually follow.
Annual risk assessments are required by the security management process of the HIPAA regulations, and the results of the assessments can help organize and formulate a plan for compliance, training, and encryption.