Messageboard

Unhappy Camper (Vol. 1, Issue 10)

I did a quick breakdown of the data breaches each affecting over 500 patients that are presented on-line (by law, mind you) by the Federal government’s Health and Human Services web site at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru...

Over the past year there have been 166 such incidences reported by law to HHS.  It does not count either those breaches affecting fewer than 500 patients, nor does it reflect incidences where the health care entity failed to report such breaches, in violation of the law. Speculation on other web sites is that the actual numbers may be much, much larger.  166 major breaches may not strike you as an overly large number but it accounts for 4.9 million individual PHI data sets, and at an average cost of about $200 per record breached, this adds up to about one billion dollars in costs to providers (see http://www.ihealthbeat.org/articles/2010/8/13/security-breaches-may-caus...).

The number one reason cited in these breach incidences was theft of a laptop (48).  Take the tablets with you when you exit a patient exam room.  Make the laptops unattractive by slapping a bumper sticker on the cover with some health promotional message that your patients will be forced to read.  Cover the closed computer with a towel to disguise it lying on the car seat next to you. Your laptops, tablets, PDAs, and cell phones are all encrypted right? Remember that not all sensitive PHI is in your supposedly-secure EMR.  It may be lying unnoticed on your desktop in an unsecured .xls spreadsheet for accountancy purposes and may contain thousands of records on your patients.  Or it may be in a report or letters generated by your EMR into autonomous files located deep within your computer.  Be sure to find and secure or delete such things when not needed.

Number two was ‘other’ (45).  Not much we can do with that unless we get into more details. 

To be fair, number three (36), including the 3 incidents here in RI, was theft of paper records.  Most were large institutional users, such as insurance companies, hospitals, or large clinics.  I suspect most of these cases were related to the compromise of computer-generated spreadsheet data rather than the wholesale thefts of the actual patient file folders, but this points out just how dangerous these spreadsheets can be if left unsecured. Before I adopted EMR I remember carrying home stacks of charts to refer to in calling back patients, but I never brought home more than 10 at a time. While paper records might be more subject to casual theft, computers are a much more inviting target and contain a lot more patient data to be breached.

Fourth was desktop computer thefts (27), and sixth was server thefts (15) pointing out the need of good locks and an alarm system in your office.  My IT vendor recommended literally bolting the server to the floor to secure it.  Remember the Windows Server OS does not, at present, support reasonable data encryption, so please at least password-protect any back-up tapes, or other such media.

Fifth was theft of portable electronic devices such as PDAs and cell phones (25).  Such devices are great for communications and professional reference tools such as ePocrates, but very bad for storing sensitive patient information.  Whether by loss or theft matters not to the folks at HHS, and if you leave an accessible patient data file on the device you’ll be asking for big trouble.  It seems most EMR vendors are rolling out apps for these devices that can tap into your patient data.  This is done by the vendors to satisfy the demands of physicians who think that they must have the latest and greatest thing. But in conversations I’ve had as of late, I’ve been taken aback by the level of unawareness many, if not most, physicians have about EMR and security issues when using such devices.  Whether an iPad or an iPhone, such items are an inviting target for theft so make sure you truly know what you’re doing, and do it securely.

Sixth place was a tie between hacks and e-mail fiascos.  Firewalls would hopefully prevent such attacks but one prominent US hacker enjoyed great success by simply calling up random low-level employees, announcing himself to be from the company’s IT team, and asking for (and receiving) full, unfettered access to the server. Train your employees to refer all such calls to either you or to your in-house IT person, if you have one.  And if you or your staff use common e-mail to transfer PHI, you really should know better.

I’ve been asked to remain as un-acerbic as possible in this weeks posting. But if you really want to be made to feel uncomfortable anyway, by all means check out the governmental reporting requirements and penalties for these data breaches at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru...