Cyber liability questions to consider
Cyber-crime is on the rise, with the health care industry its number one target. Cyber criminals have discovered that patient data is often less secure and more valuable than other forms of personally identifiable information, such as credit card numbers or home addresses. Medical records contain such detailed information as health insurance ID numbers, birth dates, social security numbers, and medical histories—all information that can be used in a variety of ways to steal identities.
Through the end of July 2014, more than 11.8 million health data records were reported as being breached to the U.S. Department of Health and Human Services. As one prominent cyber risk assessment commentator noted: “Companies fail at the basics. Whether it’s a large company or small, the amount of private information that we find companies putting on laptops and other devices with hardly any controls or encryption is amazing.”
Do you know if your practice is compliant with the latest federal and Texas medical privacy and security laws?These privacy laws require appropriate compliance to avoid potential fines and penalties.
To help physicians further identify their cyber liability exposures, consider the following questions, as they apply to your practice:
- How well are you currently safeguarding patients’ health data? Are you using encryption whenever possible or other secure methods to prevent access to patients’ electronic Protected Health Information (ePHI) - especially on mobile devices? Consider encryption of confidential data both at rest on your servers and in motion to protect it from being accessed by unauthorized users.
- Are your Privacy Policies and Procedures up-to-date and are they being followed? Are your employees receiving training on how to properly handle PHI?
- Do you keep your antivirus and malware software active and up-to-date, and are you installing security software patches timely? Or is your IT outdated or running obsolete, unsupported software, such as Windows XP?
- Are you using firewalls to block external access to your network and unauthorized outgoing activity? Firewall security and up-to-date firewall rules should be considered minimum protection and an integral part of your overall network security. Configuring your firewall to send alerts of suspicious network traffic is also important, as well as regularly reviewing your Firewall logs.
- Do you use secure mail or a HIPAA-compliant mobile or desktop application? All it takes is one piece of identifying information (e.g., a patient’s name) and one piece of private information (e.g., a diagnosis) and the text message is ePHI and needs to be secured.
- How often do you do complete backups of your electronic records? And are your data backups stored away from your premises? A computer breakdown or off-premises power failure can result in lost data.
- Do you understand your notification responsibilities to your patients and to federal and state privacy agencies if you experience a reportable data breach?
- Would a data breach impact your practice’s revenue? Have you considered the costs of lost production by your employees working to deal with the breach and the loss of efficiency and potential reputational harm from a cyber claim?
- Do you have any insurance coverage for cyber liability losses? If so, how comprehensive is the policy and are the limits of liability adequate?
- Do you have a cyber loss prevention and disaster recovery plan? The benefits of implementing such a plan include:
- Avoidance or prevention of cyber losses and resulting computer processing interruptions.
- Preservation and protection of your electronic data.
- Continuity of employment for your employees with minimal loss of productivity.
- Fulfillment of service commitments to your patients.
- Uninterrupted collection of your account receivables.
- Security of your patients’ PHI and SPI.
- Compliance with state and federal medical privacy and security laws.
Today, more and more companies are taking additional steps to protecting their confidential data, including trying to isolate it from the rest of their network. They are also using advanced technologies that can detect and prevent network intrusion, such as Intrusion Detection Systems and Intrusion Prevention Systems, to monitor and respond to internal or external malicious activity on their network. And they may also conduct penetration testing to detect vulnerabilities within their network security.
The HIPAA Security Rule requires covered entities, such as healthcare providers, and their Business Associates to comply with particular safeguards and standards to protect the confidentiality, integrity and availability of PHI. The key is having the proper privacy and security procedures in place in advance; as it is much easier to prevent a data breach before it occurs.
According to the security company Symantec, hacking attacks surged by 62 percent last year and the realization for many organizations today is computer security can no longer be an afterthought. This is best summed up in a recent white paper by RSA, the security division of EMC, titled The Current State of Cyber-Crime 2014:
“…organizations recognize that good security isn’t just about preventing attacks and breaches. It’s also about accepting that attacks are inevitable [emphasis added], and implementing tools and techniques … to enable rapid detection and remediation.
In essence, the more an organization is able to narrow the window of opportunity for an attacker, the better they can minimize damage and losses.”