Are Your Medical Records Safe? November 25, 2014 As Seen in Maryland Physician Magazine – November/December 2014 Issue : Are Your Medical Records Safe? By Nathalie Griffin-Ames, CPA According to Redspin, a leader in healthcare IT security, a total of 804 large breaches of protected health information affecting over 29.2 million patient records were reported to the secretary of Health and Human Services between August 2009 and December 2013. The 2013 statistics reported by Redspin are alarming: Over 7 million patient health records were breached There was a 137% increase in the number of patient records breached vs. 2012 83% of patient records breached resulted from theft 22% of breach incidents resulted from unauthorized access 35% of incidents were due to the loss or theft of an unencrypted laptop or other portable electronic device Medical record protection is an important part of today’s medical practice. Although the switch to electronic record keeping has many advantages, it also entails many new risks. The reasons that so many medical records are at risk include: Hackers – the number of attacks on hospitals, private clinics and medical practices has substantially increased to where it accounted for 33% of all medical record theft in 2013. Lost or stolen electronic devices Failure to delete – equipment used by medical practices are being discarded without fully deleting the sensitive information they contain. Third-party error – many healthcare organizations outsource medical record storage and management to third-party vendors, but in some cases these vendors are not qualified to secure this information. Open Wi-Fi networks that are not properly secured Insider access –examples include employees that leave a file open on their computer or allow an unauthorized person to view a medical record. The ‘Cloud’ – more healthcare organizations are moving their patient health records to the cloud. However, very few are confident that they can protect this information from thieves. How Can You Protect Your Medical Records? Security tips to combat some of the risks listed above include: Install USB locks on computers, laptops and other mobile devices to prevent unauthorized data transfer. Install Geolocation tracking software on mobile devices, which allows for tracking, locating and wiping a mobile device of all data in the event it is lost or stolen. Encrypt all mobile devices and USB drives that will be used remotely and that contain sensitive data. Even if you allow employees to use their own tablets, laptops and/or smart phones, you should require encryption. Turn all computers completely off when not in use, even if you have installed full-disk encryption. Most leading encryption products are configured so that once the password has been entered, the laptop is unencrypted and unprotected until it is booted down. Simply putting the laptop in “sleep” mode does not cause the encryption protection to kick in. Educate your employees about security awareness. Discourage them from downloading applications and free software that may contain malware, turning off security settings and not encrypting data in transit or at rest, as these are all behaviors that put you at risk. Provide frequent IT security awareness training for your staff. Before disposing of equipment, including copiers, smart phones, laptops and ultrasound machines, wipe hard drives of all data. Implement Electronic Protected Health Information (EPHI) security – As electronic medical records are being accessed more frequently from mobile devices, the risk of contamination from a virus increases significantly and makes investing in a proactive data management strategy even more critical. Conduct an Annual HIPAA Security Risk Analysis – periodic risk analysis is a requirement of the HIPAA Security Rule, and practices should plan and budget for it in advance. Assess security risk by identifying real vulnerabilities and developing a solution to those vulnerabilities. It is recommended that healthcare organizations engage in ongoing vulnerability scanning and remediation by implementing a monthly or quarterly test schedule. Ensure your business associates are effectively safeguarding your electronic medical records. Nathalie Griffin-Ames, CPA, is a Manager at KatzAbosch. She can be reached at firstname.lastname@example.org.