Patient data breaches at health-care organizations made headlines in 2015, and some of the statistics are even more staggering. In the last six years, more than 120 million Americans may have had personal data compromised because of breaches at organizations handling protected health information (PHI).1 As physicians, we should be concerned about this alarming trend. First, part of our job is to protect patients and work in their best interests. Second, none of us wants to lose patient trust. One survey found that 65 percent of consumers would avoid providers who had undergone a data breach.2 Third, HIPAAs financial penalties are steep and government enforcement is on the rise.
The sad truth is that none of us is immune to these kinds of breaches. In the old days of paper records, stealing medical records usually meant someone local throwing a brick through the office window to gain access. Todays threats are far more complicated, sophisticated and wide-ranging; one is more likely to be targeted anonymously from thousands of miles away. The human factor and the unavoidable errors of judgment that can lead to breaches are also real and constant, which means staff must be screened and trained continuously. Because new threats are always emerging, one needs to practice constant vigilance and updating of systems and software. Thats something most practices dont have the time, resources or expertise to do.
Unfortunately, there is no simple answer and no perfect fix. Attempts to improve cyber security will inevitably involve trade offs in terms of time, money, effort and how much risk exposure your practice is comfortable with.
Unfortunately, there is no simple answer and no perfect fix. Attempts to improve cyber security will inevitably involve trade offs in terms of time, money, effort and how much risk exposure your practice is comfortable with. As a practicing gastroenterologist and avid computer user who has some familiarity with EHR systems and basic computer security issues, I can offer the following general suggestions on what physicians can do to reduce the risks of cyberattacks and data breaches. (None of my suggestions should be interpreted as endorsements of any particular products or companies.)
- Talk to your EHR vendor. This is an excellent place to start. Some EHR vendors may be able to advise you on what your practice can do to routinely guard against security breaches. You may also want to ask your EHR vendor to explain what capabilities they use now and plan to use in the near future to help your practice guard against emerging threats.
Dont use default passwords or vulnerable passwords that can be easily guessed by hackers. Admin1234 is not a secure password. Yet, many practices still commonly use such passwords, according to the CEO of an EMR company with whom I recently talked (his companys EHR system disallows use of such vulnerable passwords). Use longer passwords or passphrases (passwords with spaces; these can be short sentences that are easy to remember). Dont use the same password for multiple programs. To avoid having to remember lots of different passwords, consider using a password manager such as 1Password or LastPass.
- Vet and train staff. Staff need to know and be reminded not to give out their passwords or let their passwords be seen by others. They also need to avoid taking non-secured laptops out of the office … period. Staff should also be advised not to leave in-office computers unattended without first logging off.
- Separate personal and business usage or use two computers. Computers used to access medical records should not also run common Internet-based applications, such as personal email, Facebook, iTunes and photo downloading sites. Thats because accessing Internet links leaves you susceptible to malware attacks and computer viruses. Either have separate computers for medical records, or use a virtual machine or a software application such as Citrix, which provides secure access to clinical applications, medical content and patient records. (I use one computer for both personal and work purposes, but always log in via Citrix for anything related to medical records.)
- Using secure access software like Citrix also allows users to securely access medical information from a remote or home-based computer. This is good if you or your staff need to get into medical records during non- business hours. If you are a small practice and cant afford Citrix, you may want to look at remote desktop service applications that offer certificate-based or two-factor authentication. Again, ask your EMR or EHR vendor if they can help set that up or give advice.
- Conduct a cybersecurity audit or assessment once every year or two. This can identify vulnerabilities and risks in your system. Ask your EHR vendor if they can do this or recommend a company that can. Another option is to have your website scanned for potential vulnerabilities. There are several reputable companies that do this, including Tenable Network Securitys Nessus and Qualys, which offers a free online security scan.
Again, while there is no complete fix or easy solution, being mindful of how real security breaches are and conducting a few basic checks such as those outlined here can go a long way in reducing risks to your practice and your patients.
Dr. Kaufman served on the Health IT Standards Committee, Privacy and Security Workgroup for Of ce of the National Coordinator for Healthcare Information Technology. Representing AGA, Dr. Kaufman is a delegate to the AMA and has served as the co-chair of the Physicians Electronic Health Record Coalition.
1. Andrea Peterson, The Washington Post, 2015 is Already the Year of the Healthcare Hack and its Only Going to Get Worse, March 20, 2015 https://www.washingtonpost.com/news/the-switch/wp/2015/03/20/2015-is-already-the-year- of-the-health-care-hack-and-its-only-going-to-get-worse/
2. TransUnion Healthcare Survey, Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Experience a Data Breach. March 24, 2015. http://newsroom.transunion.com/transunion-survey-nearly-seven-in-10-patients-would- avoid-healthcare-providersthat-undergo-a-data/