Data breaches a near certainty
Understand how data can be compromised and know how to respond if it happens to you.
In today's digital climate, says Jennifer Searfoss, Esq., loss or breach of protected health information (PHI) is not a question of likelihood – "It's a certainty. It's just a question of when, and of what nature." As chief solutions strategist for Ashburn, Virginia-based consulting firm SCG Health, she says she hears of new data breaches in dermatology daily.
"Most dermatologists probably received no specific training in information security,” says Jules Lipoff, M.D. “Younger physicians may be more comfortable in this arena because they've grown up with electronic communications. But really, everyone is at risk." Dr. Lipoff is assistant professor of dermatology at the University of Pennsylvania.
The depth and richness of healthcare data make it a "top three" target in terms of financial damage being done, says Scott Schober, president and CEO of Berkeley Varitronics Systems. Rather than making hundreds of dollars in bogus retail purchases, he explains, medical-history information allows thieves to order – and get paid for – thousands of dollars in appropriate-looking tests before anyone notices.
"The value of stealing someone's medical identity is 10 times that of their basic identity," Mr. Schober says.
Moreover, "It's very difficult to catch these criminals. It's not a single case of medical fraud." Instead, Mr. Schober says, thieves may take a year to test and package the data from up to 1,000 individuals and sell it for perhaps $100,000.
"It goes through several hands before it gets broken up and spread out, so you can't trace it back to the original cyberthieves," Mr. Schober says.
Any device employees or business partners use to access your network can be vulnerable (for data-security tips, see related article).
You've been hacked!
Under the Health Information Portability & Accountability Act (HIPAA), physicians must report breaches involving "the acquisition, access, use or disclosure of PHI" to the U.S. Department of Health and Human Services (HHS).1 If the breach impacts more than 500 people, physicians must report the name and state of the entity breached, number of records affected, type and source of the breach and involvement of any external vendors. When a breach impacts 800 people, says Ms. Searfoss, "we start looking at identity-theft protection and media releases. But I've never had a breach that was anywhere close to those numbers. It's either two or 200,000."
If a breach appears to impact 50 patients, Ms. Searfoss explains, "Those are just the 50 you know about." The problem likely has spread to hundreds or thousands of their connections. Often, says Mr. Schober, victims aren't certain what has been compromised – and it could cost six-figure consultant fees to ferret it out.
When one's practice experiences a suspected breach, the appropriate response depends on the problem's scope. If a portable device that uses encryption and remote-wiping capabilities is lost or stolen, says Ms. Searfoss, "That's not a reportable breach." If an incorrect bill goes to one patient, she says, your HIPAA privacy officer should document what happened, identify preventative tactics for the future and share this information with the patient.