In July, a laptop computer containing Indianapolis based Cancer Care Group's computer server back-up media was stolen from an employee's locked car. According to the practice, the breach may have exposed the PHI of up to 55,000 individuals, including its own employees.
Also in July, hackers gained access to a server that stored electronic health records of the Illinois based surgical practice, The Surgeons of Lake County. Rather than operating in a clandestine manner and attempting to sell the PHI on the black market, these hackers privately encrypted the PHI on the practice’s server, thus preventing legitimate users from accessing patient data. The hackers then demanded a ransom payment in exchange for providing the password to unlock the data.
Customization- If being able to customize your electronic health record is important for clinician workflow, make sure to ask that question in the RFP. Many companies won’t offer much customization, while others are more open to tailoring the product to your organization.
As medical practices step up their attestation of meaningful use in advance of this year’s deadline, the question has been raised as to why Core Measure 15 places such a direct and costly emphasis on the HIPAA Security Rule. Many object to the standard for this measure which is found in 45 CFR 164.308(a)(1). The statute provides that all eligible professionals conduct or review a security risk analysis in accordance with the requirements under the statute and implement security updates as necessary to correct identified security deficiencies as part of the practice’s ongoing risk management process. Although some physicians may see this requirement as overly intrusive on their operations and costly, the truth is this measure is intended to not only protect the patient but also the medical practice.
A review of the above cited incidents reveals that the exposure to the medical enterprises involved is quite substantial. While the true value of the PHI that was compromised may never be determined, one fact remains clear, these breaches put human life at risk and will cost these organizations significantly in the areas of incident response and remediation. The lesson that should be taken from these and the countless other incidents of healthcare data breaches is that PHI is a highly valued commodity that when accessed illicitly can jeopardize the security and stability of the medical practice itself.
Noting that the legislative intent of the meaningful use incentive program was to provide financial incentives for medical practices to not only implement a certified electronic medical records system, but to build out and maintain a robust, and secure IT network for the practice, medical practices should consider earmarking the incentive funds they receive for ongoing IT security. Such an investment promises to pay far greater dividends in the future should the practice find itself the target of an attempted data breach. Furthermore, the cost of noncompliance with Core Measure 15 is not limited to refunding all incentive monies received, as the practice faces additional HIPAA fines capped at $1.5M and civil litigation which can expose the organization to untold civil damages.